In a recent report, Microsoft has admitted that they signed a malicious driver, which is now being managed in the gaming environment. The investigation revealed that the company’s signed drivers are malicious Windows rootkits that continue to target the gaming environment.

The malicious rootkit was first spotted by G DATA malware analyst Karsten Hahn, who confirmed that threat actors are targeting users, especially some in East Asian countries.

Microsoft has taken notice of the attack, arguing that attackers used malicious drivers to spoof their geographic location in order to trick the system and play games from anywhere.

　　No evidence of certificate exposure

The company has built-in detection and is doing its best to block this driver as soon as possible, along with the Zero Trust and Layered Defense security posture. In addition to this, the company is also trying to find out which files are linked through Microsoft Defender for Endpoint. But they also stated that there is no evidence that the WHCP signing certificate has been exposed and that its infrastructure has not been compromised by hackers.

All the methods used in this attack happened after the exploit, however this malware allows threat actors to gain an advantage in the game and they can take over other players with the help of some common tools like keyloggers account.

　　Microsoft signs a rootkit

After a long investigation, the researchers learned that the driver had been found to be communicating with C&C IPs in certain countries, and all of these IPs were suspicious as they did not provide any legitimate functionality at all.

However, it is reported that starting with Windows Vista, any code running in kernel mode needs to be tested and signed before public release to ensure the stability of the operating system. Drivers without Microsoft certificates cannot be installed by default.

However, analysis of the URLs by Netfilter’s C&C infrastructure clearly shows that the first URL returns a set of alternate routes (URLs), separated by (“|”), all of which serve a specific purpose.

“hxxp://110.42.4.180:2081/p” – URLs ending with this link to proxy settings.

“hxxp://110.42.4.180:2081/s” – Specifies the encoded IP address to forward to.

“hxxp://110.42.4.180:2081/h?” – dedicated to getting the CPU-ID.

“hxxp://110.42.4.180:2081/c” – Generate root certificate.

“hxxp://110.42.4.180:2081/v?” – Link to automatic malware update feature.

　　Third Party Account Suspended

After learning of the malicious driver, Microsoft said it would launch a robust investigation. Shortly after the investigation, the company learned that the hackers had dropped the driver’s certification through the Windows Hardware Compatibility Program (WHCP).

However, Microsoft has immediately suspended the malicious driver by spreading the account and checked the hacker-submitted malware for signs of further activity.

　Microsoft admits to signing malicious drivers

There appears to be no evidence that the stolen code-signing certificates have been used, but hackers have already started targeting the gaming industry. At the same time, it is clear that such incorrectly signed binaries can be abused by hackers later and can easily generate large-scale software supply chain attacks.

In addition to this, Microsoft is doing its best to stop such attacks and find out all the details and key factors to better understand the main motivations of threat actors and the entire plan of action.