Netfilter gaming driver is a Chinese backdoor approved by Microsoft. Uninstall this driver immediately

In a recent statement, Microsoft confirmed that Netfilter, a malicious driver distributed within some gaming environments, was signed by the company. Karsten Hahn, researcher at security firm G Data, mentions that this rootkit was first detected a couple of weeks ago and has connection to IP addresses and C&C servers in China.

For the cybersecurity community, this incident is yet another example of the severe weaknesses in the software supply chain, something that has been exploited by hackers with disastrous consequences as happened with the attack on SolarWinds.

As G Data experts mentioned earlier, the driver communicates to China-based implementations, to which Karsten Hahn commented: “Since Windows Vista, any code running in kernel mode must be signed before public release to ensure the stability of the operating system. Microsoft unsigned drivers cannot be installed by default.”

The researcher analyzed the driver and concluded that it was a malware sample: “The sample has an automatic update routine that sends its own MD5 hash to the server via hxxp://110.42.4.180:2081/v?V=6&m=.

Microsoft has already received the report and announced that it will launch an investigation, although it was confirmed that so far there is no evidence that stolen code signing certificates have been used. A first hypothesis suggests that the threat actors followed Microsoft’s process to send the malicious Netfilter drivers, thereby obtaining Microsoft’s legitimate signature on the binary.

“Microsoft is investigating a hacking group that distributes malicious drivers in gaming environments. This group sends the drivers for certification through the corresponding Windows program but these malicious developments have not been developed by Microsoft. We decided to suspend the associated account and review all of its submissions to support the investigation of this malicious campaign,” the company says.

The company’s report notes that threat actors have mainly targeted the gaming sector in China; so far there is no indication that implementations in other industries have been compromised. Microsoft declined to attribute this incident to any nation state-sponsored hacking group.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.