Microsoft investigates threat actor distributing malicious Netfilter Driver

Microsoft is investigating an strange attack, threat actor used a driver signed by the company, the Netfilter Driver, to implant a Rootkit.

Microsoft announced it is investigating a threat actor distributing malicious drivers in attacks aimed at the gaming industry in China. The actor submitted drivers that were built by a third party for certification through the Windows Hardware Compatibility Program (WHCP). One of the drivers signed by the IT giant, called Netfilter, was a malicious Windows rootkit that was spotted while connecting to a C2 in China.

The IT giant pointed out that its WHCP signing certificate was not exposed and that its infrastructure was not compromised by hackers.

According to the experts, the attackers used the malicious driver to spoof their geo-location to cheat the system and play from anywhere. The malware allowed the attackers to gain an advantage in games and possibly take over the accounts of other players using common tools like keyloggers.

“It’s important to understand that the techniques used in this attack occur post exploitation, meaning an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf.” reads the post published by the Microsoft Security Response Center (MSRC).

The malicious signed driver was discovered by malware analyst Karsten Hahn from cybersecurity firm G Data, who published technical details about the threat.

“Last week our alert system notified us of a possible false positive because we detected a driver^[1] named “Netfilter” that was signed by Microsoft. Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system. Drivers without a Microsoft certificate cannot be installed by default.” wrote the expert.

“In this case the detection was a true positive, so we forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation.”

Hahn also provided details about a dropper used by the attacker to deploy the Netfilter driver on the system.

The dropper drops Netfilter into %APPDATA%\netfilter.sys, then it creates the file %TEMP%\c.xalm with the following contents and issues the command regini.exe x.calm to register the driver.

Once installed, the driver attempts to connect to a C2 server to retrieve configuration information, it supports multiple features such as IP redirection and self-update capabilities.

“The core functionality of the malware is its IP redirection. A list of targeted IP addresses are redirected to 45(.)248.10.244:3000. These IP addresses as well as the redirection target are fetched from hxxp://110.42.4.180:2081/s.” added the expert.

“Researcher @jaydinbas reversed the redirection configuration in this tweet and provided the latest decoded configuration in a pastebin.”

The older version of the Netfilter sample uploaded on VirusTotal dates back to March 17, 2021.

Microsoft has suspended the account used to submit the driver and reviewed its submissions for additional indicators of malware.

Micorsoft also shared indicators of compromise (IoCs) for this attack.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Netfilter driver)

[adrotate banner=”5″]

[adrotate banner=”13″]