430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Microsoft investigates threat actor distributing malicious Netfilter Driver

Microsoft is investigating an strange attack, threat actor used a driver signed by the company, the Netfilter Driver, to implant a Rootkit. Microsoft announced it is investigating a threat actor distributing malicious drivers in attacks aimed at the gaming industry in China. The actor submitted drivers that were built by a third party for certification […]

netfilter

Microsoft is investigating an strange attack, threat actor used a driver signed by the company, the Netfilter Driver, to implant a Rootkit.

Microsoft announced it is investigating a threat actor distributing malicious drivers in attacks aimed at the gaming industry in China. The actor submitted drivers that were built by a third party for certification through the Windows Hardware Compatibility Program (WHCP). One of the drivers signed by the IT giant, called Netfilter, was a malicious Windows rootkit that was spotted while connecting to a C2 in China.

The IT giant pointed out that its WHCP signing certificate was not exposed and that its infrastructure was not compromised by hackers.

According to the experts, the attackers used the malicious driver to spoof their geo-location to cheat the system and play from anywhere. The malware allowed the attackers to gain an advantage in games and possibly take over the accounts of other players using common tools like keyloggers.

“It’s important to understand that the techniques used in this attack occur post exploitation, meaning an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf.” reads the post published by the Microsoft Security Response Center (MSRC).

The malicious signed driver was discovered by malware analyst Karsten Hahn from cybersecurity firm G Data, who published technical details about the threat.

“Last week our alert system notified us of a possible false positive because we detected a driver[1] named “Netfilter” that was signed by Microsoft. Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system. Drivers without a Microsoft certificate cannot be installed by default.” wrote the expert.

“In this case the detection was a true positive, so we forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation.”

Hahn also provided details about a dropper used by the attacker to deploy the Netfilter driver on the system.

The dropper drops Netfilter into %APPDATA%\netfilter.sys, then it creates the file %TEMP%\c.xalm with the following contents and issues the command regini.exe x.calm to register the driver.

Once installed, the driver attempts to connect to a C2 server to retrieve configuration information, it supports multiple features such as IP redirection and self-update capabilities.

“The core functionality of the malware is its IP redirection. A list of targeted IP addresses are redirected to 45(.)248.10.244:3000. These IP addresses as well as the redirection target are fetched from hxxp://110.42.4.180:2081/s.” added the expert.

“Researcher @jaydinbas reversed the redirection configuration in this tweet and provided the latest decoded configuration in a pastebin.”

The older version of the Netfilter sample uploaded on VirusTotal dates back to March 17, 2021.

Microsoft has suspended the account used to submit the driver and reviewed its submissions for additional indicators of malware.

Micorsoft also shared indicators of compromise (IoCs) for this attack.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Netfilter driver)

[adrotate banner=”5″]

[adrotate banner=”13″]