Pierluigi Paganini October 22, 2021

Bitdefender researchers discovered a new Rootkit named FiveSys that abuses Microsoft-Issued Digital Signature signature to evade detection.

FiveSys is a new rootkit discovered by researchers from Bitdefender, it is able to evade detection by abusing a Microsoft-issued digital signature.

Driver packages that pass Windows Hardware Lab Kit (HLK) testing can be digitally-signed by Microsoft WHQL (Windows Hardware Quality Labs). If your driver package is digitally-signed by WHQL, it can be distributed through the Windows Update program or other Microsoft-supported distribution mechanisms.

Obtaining a WHQL release signature is part of the Windows Hardware Lab Kit (HLK). A WHQL release signature consists of a digitally-signed catalog file.

Microsoft is aware that Vxers have devised a method to digitally sign their rootkits through this process. After Bitdefender has reported the discovery, Microsoft has revoked the signature for FiveSys.

In June, the company announced it is investigating a threat actor distributing malicious drivers in attacks aimed at the gaming industry in China. The actor submitted drivers that were built by a third party for certification through the Windows Hardware Compatibility Program (WHCP). One of the drivers signed by Microsoft, called Netfilter, was a malicious Windows rootkit that was spotted while connecting to a C2 in China.

The IT giant pointed out that its WHCP signing certificate was not exposed and that its infrastructure was not compromised by hackers.

The FiveSys rootkit uses the same technique to remain under the radar, it is very similar to the Undead malware and likely originate from China where is used to target domestic games.

The rootkit was used by threat actors to redirect internet traffic to a custom proxy server.

“The main purpose of the rootkit is to redirect internet traffic and route it to a custom proxy server. To achieve this, the
driver serves locally a Proxy Autoconfguration Script to the browser. The driver will periodically update this autoconfguration script. The script has a list of domains/URLs for which it
redirects traffc to an endpoint under the attacker’s control.” reads the report published by Bitdefender.

The rootkit is able to redirect both http and https traffic, in the latter case, it installs a custom root certificate to about browser’s warnings of the unknown identity of the proxy server.

The malware maintains a list of digital signatures used to detect drivers associated with Netfilter and fk_undead malware families and prevent that they are loaded.

Bitdefender identified several user mode binaries that are used to fetch and execute the malicious drivers onto the target machines. According to the experts, FiveSys uses four drivers, but at this time they have only detected only two of them.

“It also has an estimated four drivers, but in our research, we only managed to isolate two:

• PacSys(PC.sys) is responsible for delivering the proxy autoconfguration script (the *.PAC fle, hence the name probably).
• Up.sys downloads an executable and starts it using an embedded dll which it injects from kernel mode.
  Both drivers can protect the other module too, and reinstall it if it gets deleted.
• Even though, technically speaking, the malware families are not among the sophisticated ones, the fact that they
  abuse digital signatures in this manner seriously undermines the credibility of this protection mechanism.”

To minimize the chance of a C2 takedown, the rootkit uses a built-in list of 300 domains on the “.xyz” TLD that are randomly generated and that stored in an encrypted form inside the binary.

Upon contacting the C2, the rootkit will select a random domain from the list, each such domain having several DNS A records.

The paper published by Bitdefender also includes indicators of compromise (IoCs.)

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

[adrotate banner=”5″]

[adrotate banner=”13″]