In a recent statement, Microsoft confirmed that Netfilter, a malicious driver distributed within some gaming environments, was signed by the company. Karsten Hahn, researcher at security firm G Data, mentions that this rootkit was first detected a couple of weeks ago and has connection to IP addresses and C&C servers in China.
For the cybersecurity community, this incident is yet another example of the severe weaknesses in the software supply chain, something that has been exploited by hackers with disastrous consequences as happened with the attack on SolarWinds.
As G Data experts mentioned earlier, the driver communicates to China-based implementations, to which Karsten Hahn commented: “Since Windows Vista, any code running in kernel mode must be signed before public release to ensure the stability of the operating system. Microsoft unsigned drivers cannot be installed by default.”
The researcher analyzed the driver and concluded that it was a malware sample: “The sample has an automatic update routine that sends its own MD5 hash to the server via hxxp://18.104.22.168:2081/v?V=6&m=.“
Microsoft has already received the report and announced that it will launch an investigation, although it was confirmed that so far there is no evidence that stolen code signing certificates have been used. A first hypothesis suggests that the threat actors followed Microsoft’s process to send the malicious Netfilter drivers, thereby obtaining Microsoft’s legitimate signature on the binary.
“Microsoft is investigating a hacking group that distributes malicious drivers in gaming environments. This group sends the drivers for certification through the corresponding Windows program but these malicious developments have not been developed by Microsoft. We decided to suspend the associated account and review all of its submissions to support the investigation of this malicious campaign,” the company says.
The company’s report notes that threat actors have mainly targeted the gaming sector in China; so far there is no indication that implementations in other industries have been compromised. Microsoft declined to attribute this incident to any nation state-sponsored hacking group.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.