Netfilter Driver

Microsoft on Friday said it's investigating an incident wherein a driver signed by the company turned out to be a malicious Windows rootkit that was observed communicating with command-and-control (C2) servers located in China.

The driver, called "Netfilter," is said to target gaming environments, specifically in the East Asian country, with the Redmond-based firm noting that "the actor's goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere."

Stack Overflow Teams

"The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers," Microsoft Security Response Center (MSRC) said.

The rogue code signing was spotted by Karsten Hahn, a malware analyst at German cybersecurity company G Data, who shared additional details of the rootkit, including a dropper, which is used to deploy and install Netfilter on the system.

Netfilter

Upon successful installation, the driver establishes connections with a C2 server to retrieve configuration information, which offers a number of functionalities such as IP redirection, among other capabilities to receive a root certificate and even self-update the malware.

Netfilter

The oldest sample of Netfilter detected on VirusTotal dates back to March 17, 2021, Hahn said.

Prevent Data Breaches

Microsoft noted that the actor submitted the driver for certification through the Windows Hardware Compatibility Program (WHCP), and that the drivers were built by a third-party. The company has since suspended the account and reviewed its submissions for additional signs of malware.

The Windows maker also stressed that the techniques employed in the attack occur post-exploitation, which necessitates that the adversary must have had previously gained administrative privileges so as to be able to install the driver during system startup or trick the user into doing it on their behalf.

Additionally, Microsoft said it intends to refine its partner access policies as well as its validation and signing process to enhance protections further.

"The security landscape continues to rapidly evolve as threat actors find new and innovative methods to gain access to environments across a wide range of vectors," MSRC said, once again highlighting how legitimate processes can be exploited by threat actors to facilitate large-scale software supply chain attacks.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.