Hackers Target Gaming Sector By Deploying Microsoft Rootkit

Cybersecurity researchers have uncovered a sophisticated cyberattack campaign in China, where hackers utilize a Microsoft-signed rootkit to target the gaming sector.

The investigation by security firm Trend Micro revealed that the malicious actor responsible for this campaign is believed to be the same group behind the notorious FiveSys rootkit, previously discovered in October 2021.

Trend Micro researchers confirmed that the attackers, originating from China, have obtained valid signatures for their malware, possibly by passing through the stringent Windows Hardware Quality Labs (WHQL) process.

The rootkit campaign consists of multiple variants organized into eight distinct clusters. These variants are signed using Microsoft's WHQL program, exploiting the trust associated with legitimate digital certificates. By doing so, the attackers can circumvent detection mechanisms and gain a foothold on targeted systems. Each variant is tailored to the victim's machine, with some even featuring custom-compiled drivers.

The initial-stage driver, signed by Microsoft, functions as a loader, establishing communication with a command-and-control (C&C) server infrastructure. It utilizes the Windows Socket Kernel to facilitate network communication, leveraging a Domain Generating Algorithm (DGA) to generate different domains for resilience. Additionally, the rootkit employs obfuscation techniques to evade detection, indicating ongoing development and testing.

Once established, the attackers deploy second-stage plug-ins, which possess various capabilities for achieving persistence and executing specific actions from the kernel space. These plug-ins include a Defender terminator, intended to disable Microsoft Defender software, and a proxy plug-in that installs a remote proxy server and redirects web browsing traffic.

Notably, these Microsoft-signed rootkits have been primarily detected within the gaming sector in China, potentially infiltrating systems through trojanized Chinese games. Using legitimate digital certificates allows the malware to avoid raising suspicion, making it more difficult for security tools to detect and mitigate the threat.

133 malicious drivers, signed with valid digital certificates, have been discovered. Among them, 81 can disable antivirus software, while the remaining drivers function as covert rootkits, stealthily monitoring sensitive data transmitted over the internet.

The fact that the Windows Hardware Compatibility Program signs these drivers enables attackers to install them on compromised systems undetected, granting them unhindered access to malicious activities.

Microsoft has taken immediate action to address the issue, implementing blocking protections and suspending the accounts responsible for signing the malicious drivers. Microsoft recommends “that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks.”