Hackers target Chinese-speaking Microsoft users with ‘RedDriver’ browser hijacker
Hackers are targeting Chinese-speaking Microsoft users with a tool called RedDriver that allows them to intercept web browser traffic, according to cybersecurity researchers.
Experts from the Cisco Talos team said they have identified multiple versions of RedDriver, which they believe has been in use since at least 2021.
“The authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows operating system,” the researchers said. Drivers help an operating system communicate with pieces of hardware, like printers and monitors.
“This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves,” the researchers said. Cisco Talos did not attribute RedDriver to a specific cyberthreat group.
According to the researchers, the attack begins with a malicious file titled DNFClient — a reference to the Dungeon Fighter Online game that is popular in China. Once the file is executed, it initiates the download of RedDriver, which Cisco called a "a critical component of a multi-stage infection chain that ultimately hijacks browser traffic and redirects it to localhost."
RedDriver essentially causes the operating system to trust things it shouldn’t, by “utilizing stolen certificates to forge signature timestamps, effectively bypassing driver signature enforcement policies within Windows.” The researchers said they discovered the malware while investigating another tool.
The disruption allows the hackers to use the Windows Filtering Platform (WFP) to intercept browser traffic, according to Cisco Talos, which said it believes the intended victims are native Chinese speakers because the malware contains a target list of Chinese language browser names as well as Google Chrome and Microsoft Edge.
When contacted for comment about the situation, a spokesperson for Microsoft directed Recorded Future News to a blog post released on Tuesday acknowledging that the company was recently informed “that drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) were being used maliciously in post-exploitation activity.”
Microsoft determined that the activity “was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified. We’ve suspended the partners' seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.”
Microsoft noted that it was first alerted to the situation in February by researchers from the security firm Sophos before Trend Micro and Cisco Talos provided additional reports.
Microsoft also released Windows Security updates that filter the problematic drivers and help to “protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity.”
Microsoft also is working on “long-term solutions to address these deceptive practices and prevent future customer impacts,” they said.
Chinese internet cafes
Cisco Talos researchers said they are still unclear about the end goal of the browser traffic redirection, but whatever the case, it is a significant threat to any system infected with RedDriver.
In their research, they noted that an earlier version of RedDriver was packaged with software that would be used in internet cafes, as many of the names belong to internet cafe management software, graphics card drivers and browsers.
It is not uncommon for internet cafes in China to be the target of cybercrime groups based there, according to Cisco Talos, which noted a 2018 situation where more than 100,000 computers at cafes across China were infected with cryptomining malware that generated more than $800,000 for hackers.
All of the domains seen during the Cisco Talos investigation resolved to IP addresses in China, they added. The infection chain for RedDriver also uses code copied from posts on a Chinese language forum.
The researchers marveled at the skill of the RedDriver creators, noting how difficult it is to develop malicious drivers that do not crash.
“An incorrectly written driver can cause damage to or crash a system even if no malicious intent is present,” they said.
“Furthermore, WFP is a complex platform to implement, and generally requires significant driver development experience to fully understand it. The authors also demonstrated a familiarity or experience with software development lifecycles, another skill set that requires previous development experience.”
Abuse of Windows driver policies
Cisco Talos released another report alongside the one covering RedDriver that discussed the larger issue of hackers taking advantage of a Windows policy loophole to make malicious drivers seem legitimate.
RedDriver is an example of the “real-world abuse of this loophole,” which allows hackers to alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates.
Microsoft has long required drivers to be digitally signed with a certificate from a verified certificate authority because without enforcement of this, malicious drivers can easily evade anti-malware software and endpoint detection tools, Cisco Talos explained.
“From an attacker's perspective, the advantages of leveraging a malicious driver include, but are not limited to, evasion of endpoint detection, the ability to manipulate system and user mode processes, and maintained persistence on an infected system,” the researchers said.
“These advantages provide a significant incentive for attackers to discover ways to bypass the Windows driver signature policies. Cisco Talos has observed threat actors taking advantage of a Windows policy loophole that allows the forging of signatures on kernel-mode drivers, thereby bypassing the certificate policies within Windows.”
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.