Microsoft-Signed Rootkit Targets Gaming Environments in China

Researchers have identified a rootkit with a valid digital signature from Microsoft being distributed within gaming environments in China.

The rootkit, called FiveSys, is being used to redirect traffic to an attacker-controlled custom proxy server and is likely operated by a threat actor with significant interest in China's gaming market, Bitdefender researchers say in a new report. The rootkit has been targeting users for more than a year; the primary motivation for its use appears to be credential theft and in-app purchase hijacking, the security vendor says.

FiveSys is the second Microsoft-signed malware that security researchers have publicly reported in recent months. In June, G-Data announced it had observed a rootkit named Netfilter that, like FiveSys, targeted gamers in China. Both rootkits are similar in that they somehow made it past Microsoft's driver certification program and targeted the same type of environment. However, the two malware families appear unrelated, says Bogdan Botezatu, director of threat research and reporting at Bitdefender.

"The reason the driver got digitally signed by Microsoft is because the operating system no longer accepts drivers signed by the vendor only," he says. Since 2016, Microsoft has required all third-party drivers submitted via its Windows Hardware Quality Labs (WHQL) testing process to be digitally signed by Microsoft itself. What's unclear is how the adversaries managed to get the company to digitally sign malicious code, he says.

In a report this week, Bitdefender described its researchers as observing a surge in malicious drivers with valid digital signatures issued by Microsoft in recent months. The vendor said it expects to see more of them in the months ahead,

"Rootkits are some of the most powerful and most coveted tools in a cybercrime group's arsenal" because they enable full control of the compromised device, says Botezatu. One of the most effective ways for attackers to achieve this level of control is by sneaking rootkits through a company's third-party software validation program, just like attackers are targeting Microsoft's driver certification process. Similarly, Android malware developers are trying to sneak malicious content into official mobile app markets, he says.

Microsoft's WHQL testing is part of the company's Windows hardware compatibility program. The program is designed to ensure drivers and other third-party software developed for Windows computers are fully compatible with Microsoft technology. Since 2016, the company has insisted on validating and signing all drivers itself as a security precaution.