Microsoft admits to signing a malicious rootkit driver

Microsoft said on Friday that it mistakenly signed and approved for usage a series of malicious drivers that were installing a rootkit on user computers.

Discovered by G DATA security researcher Karsten Hahn earlier this month, the rootkit was found in a series of drivers named Netfilter.

Hahn said the drivers stood out because they were signed via the Windows Hardware Compatibility Program (WHCP), an official system through which Microsoft whitelists drivers from selected vendors to run on the Windows OS without any security prompts.

In a technical report posted on Friday, Hahn said the Netfilter drivers contained functionality that installed a proxy configuration on infected hosts and then waited and listened for commands coming from a server located in China.

Malicious driver was used for game cheats

In its own report on the matter, Microsoft confirmed Hahn's findings and shared additional details in regards to the threat actor behind the Netfilter rootkit and the WHCP program.

"The actor's activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments," Microsoft said on Friday.

"The actor's goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers," the OS maker added.

Microsoft said it also suspended the vendor account through which the driver was submitted to its WHCP program and reviewed the account's other drivers for signs of malware.

The OS maker said there are no signs to indicate that this incident was the work of an advanced nation-state actor.

Threat actors usually buy access to hacked vendor accounts or stolen certificates through specialized dark web markets and then use those certificates to sign their malware.

Drivers are often used in malware attacks because they usually get admin-level access after being installed and have access to the deepest areas of an infected operating system. In a typical attack scenario, a threat actor would gain access to a system via a simplistic malware strain and then installed a signed driver as a way to gain admin access on the host, which is exactly the scenario Microsoft said it believed this driver was being used.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.