A driver secretly installed via PUPs packages for Chinese software contain backdoors enabling a third-party to load unsigned drivers or to execute code with higher privileges on a Windows machine.
The backdoor was discovered by Malwarebytes researchers part of various bundled software packages pushed by at least two major PUP bundler networks.
The PUP installer drops a series of 7-ZIP archives on each victim’s computer. These archives contain the PUP application’s resources, including a 32 and 64-bit version for a driver that is forcibly and silently installed on the user’s computer without his knowledge.
Backdoor enables two possible actions
The driver contains code that allows for two possible actions. The first is a defeat for the Driver Signature Enforcement, a Windows security feature that lets users install digitally signed drivers only from trusted software developers. The defeat allows a third-party to install unsigned drivers on a Windows PC.
The backdoor’s second feature is a mechanism to enable a local privilege escalation by taking the attacker’s code and running it via the driver, which inherently has kernel-level access, giving the attacker’s code the same level of access.
“Any application running on the system could get any kernel mode code running,” slipstream/RoL, a security researcher who created proof-of-concept code for the backdoored driver, told Bleeping Computer.
Backdoor is malicious, not an accident
According to Malwarebytes, the backdoored driver appears to have been created for nefarious activities, and they don’t seem the result of coding mistakes.
In some cases, the backdoor code has been obfuscated and packed with the VMProtect application to hide it from the prying eyes of security researchers.
“Clearly, some Chinese developer really didn’t want their backdoor to be discovered,” said Malwarebytes researcher Zammis Clark, who published a technical analysis of the backdoor on the company’s blog.
Backdoored drivers distributed since 2013
Signs of the backdoored driver have been found online since 2013, on a Chinese forum. According to Malwarebytes, the backdoored driver is packaged with the following applications:
A Chinese Android rooting toolkit
A Chinese WiFi hotspot application
A Chinese USB drive helper utility
A Chinese calendar application (latest version doesn’t include the backdoored driver)
A Chinese driver updater (the English version of this app doesn’t include the backdoored driver)
Different versions of the backdoored drive have been observed, targeting different Windows versions, such as:
Windows XP x64
Windows Vista /
Windows 10 v1507, v1511, v1607
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016