On Friday, the 25th of June 2021, Microsoft admitted to signing a series of malicious rootkit drivers named Netfilter. This was first reported in a report published by Karsten Hahn, a security researcher from G DATA. In his report, Hahn claims that G DATA’s alert system notified them of a driver named ‘Netfilter’. Initially, they thought that it was a false positive since the driver was officially signed by Microsoft. Ever since the launch of the Windows Vista operating system, any code that runs in kernel mode has to undergo testing before being signed and certified by Microsoft for the public release of the operating system. ‘
Mircosoft malicious rootkit driver – How it happened
By default, such drivers cannot be installed without certification from Microsoft. However, this detection ended up being positive, meaning a malicious rootkit somehow found its way past Microsoft testing and certification procedures. Hahn claims that this series of drivers stood out to him because it was signed by the Windows Hardware Compatibility Program (WHCP), This program whitelists drivers from very selected vendors to run on Windows operating systems WITHOUT ANY SECURITY PROMPTS!
“…we forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation. At the time of writing it is still unknown how the driver could pass the signing process.”Karsten Hahn via the G DATA report
You may also like: Volkswagen divulges information about data breach
What is this Rootkit driver in Microsoft OS?
As per the G DATA report, Hahn claimed that ‘Netfilter’ was a series of drivers that contained the functionality to install proxy configurations on affected systems, which then waited and executed commands that came from a Chinese IP address. As per a twitter user Johann Aydinbas, this rootkit was used for eavesdropping on Secure Socket Layer connections which are normally used to keep internet connections secure and safeguard (Yes, the irony is not lost on us).
Microsoft published its own report via their Microsoft Security Response Center on the same day regarding the rootkit situation. This report confirmed Hahn’s findings and shared supplementary material with regards to the threat actor behind the rootkit and how it got past the hardware compatibility program.
“The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments. The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.”via the MSRC report
The software giant also reported that the rootkit itself was made by a third party and the vendor account through which the rootkit was submitted to its hardware compatibility program has since been suspended. Other drivers submitted by the same vendor are also being thoroughly investigated for signs of malware. They even claim that neither is there no evidence of their WHCP signing certificate being exposed, nor was their internal infrastructure compromised in any way.
The effects of Rootkit malware incident
According to the MSRC report, the attack normally occurs “post-exploitation”. Drivers are normally used in such malware attacks because they have the ability to obtain admin-level access, meaning they can access the roots of any infected OS. According to an article by Limor Kessam in Security Intelligence, dark web markets make it possible for threat actors to purchase access to hacked vendor accounts. By doing this, they can install a “signed” driver to any host of their choosing via any simple malware. The MSRC report suggests that this is the exact scenario through which the driver was being used. It also states that users need not take any additional actions in lieu of the information dispersed and must follow the same security measures as generally prescribed.
Microsoft has stated that they will share an update as to how they aim to refine their partner-access policies, as well as validation and signing processes to protect against any future incidents.