Microsoft has now confirmed signing a malicious driver being distributed within gaming environments.
This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs.
G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec. community in tracing and analyzing the malicious drivers bearing the seal of Microsoft.
This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process.
"Netfilter" driver is rootkit signed by Microsoft
Last week, G Data's cybersecurity alert systems flagged what appeared to be a false positive, but was not—a Microsoft signed driver called "Netfilter."
The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions.
This is when G Data's malware analyst Karsten Hahn shared this publicly and simultaneously contacted Microsoft:
"Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system."
"Drivers without a Microsoft certificate cannot be installed by default," states Hahn.
At the time, BleepingComputer began observing the behavior of C2 URLs and also contacted Microsoft for a statement.
The first C2 URL returns a set of more routes (URLs) separated by the pipe ("|") symbol:
Each of these serves a purpose, according to Hahn:
- The URL ending in "/p" is associated with proxy settings,
- "/s" provides encoded redirection IPs,
- "/h?" is for receiving CPU-ID,
- "/c" provided a root certificate, and
- "/v?" is related to the malware's self-update functionality.
As seen by BleepingComputer, for example, the "/v?" path provided URL to the malicious Netfilter driver in question itself (living at "/d3"):
The G Data researcher spent some time sufficiently analyzing the driver and concluded it to be malware.
The researcher has analyzed the driver, its self-update functionality, and Indicators of Compromise (IOCs) in a detailed blog post.
"The sample has a self-update routine that sends its own MD5 hash to the server via hxxp://110.42.4.180:2081/v?v=6&m=," says Hahn.
An example request would look like this:
"The server then responds with the URL for the latest sample, e.g. hxxp://110.42.4.180:2081/d6 or with 'OK' if the sample is up-to-date. The malware replaces its own file accordingly," further explained the researcher.
During the course of his analysis, Hahn was joined by other malware researchers including Johann Aydinbas, Takahiro Haruyama, and Florian Roth.
Roth was able to gather the list of samples in a spreadsheet and has provided YARA rules for detecting these in your network environments.
Notably, the C2 IP 110.42.4.180 that the malicious Netfilter driver connects to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, according to WHOIS records:
Microsoft admits to signing the malicious driver
Microsoft is actively investigating this incident, although thus far, there is no evidence that stolen code-signing certificates were used.
The mishap seems to have resulted from the threat actor following Microsoft's process to submit the malicious Netfilter drivers, and managing to acquire the Microsoft-signed binary in a legitimate manner:
"Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments."
"The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party."
"We have suspended the account and reviewed their submissions for additional signs of malware," said Microsoft yesterday.
According to Microsoft, the threat actor has mainly targeted the gaming sector specifically in China with these malicious drivers, and there is no indication of enterprise environments having been affected so far.
Microsoft has refrained from attributing this incident to nation-state actors just yet.
Falsely signed binaries can be abused by sophisticated threat actors to facilitate large-scale software supply-chain attacks.
The multifaceted Stuxnet attack that targeted Iran's nuclear program marks a well-known incident in which code-signing certificates were stolen from Realtek and JMicron to facilitate the attack.
This particular incident, however, has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates.
Updates:
Jun 26th 12:26 PM ET: Clarified that BleepingComputer did not see the DoD list explicitly mentioning the alleged Chinese company, contrary to the details in the researcher's report. Also reached out to Hahn for clarification.
Jun 27th, 04:58 AM ET: A previous version of the blog post mentioned another researcher @cowonaut alleging that the aforementioned company has previously been marked by the U.S. Department of Defense (DoD) as a "Communist Chinese military" company. However, BleepingComputer did not see Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd. present on any of the DoD lists available. The claim has since been retracted from the original blog post, and we have updated our article to reflect the same.
Comments
fromFirefoxToVivaldi - 2 years ago
Was this distributed together with game installers? If so, is there any data on which games were affected?
U_Swimf - 2 years ago
Sounds like it might be related to Xbox if it's "game related" . This is frustrating to hear rootkit , signed off by Microsoft ..
Way to blow up, incinerate and revalidate any chances in trusting windows key signing in general. These guys should reevaluate their whole trust and untrusted thing they have going with managing everything . Happening once in a while to the few who figure it out and no mentions of the thousands who never notice, is unacceptable
U_Swimf - 2 years ago
Great.. a rogue NetFilter root kit. That's gonna be hard to remove isn't it?
What's the purpose of Netfilter? I read the wiki but still confused.. does it control web services ?
Sporkfighter - 2 years ago
"What's the purpose of Netfilter?"
Sounds like it's just an innocuous-sounding name. They picked it because calling it "nasty-rootkit" would be a dead givaway.
Struppigel - 2 years ago
I am clearing that up currently. I got the information that
Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd
was part of China Mobile Communications Group which are on the DoD list.
But now I am not sure anymore. I usually verify pieces of information but for this one I did not. X|
GT500 - 2 years ago
"gaming environments" is unfortunately rather vague. Are they referring to game distribution systems such as Steam, Epic Games, etc? Or perhaps to games from certain Chinese companies, such as Tencent and their subsidiaries (Epic Games, Riot Games, etc)? Or perhaps to games distributed via the Microsoft Store in Windows 10?
Since the driver was signed by Microsoft it almost certainly means it's for Windows, so we can probably rule out mobile systems running Android and iOS, as well as MacOS and Linux systems (you wouldn't need Microsoft to sign a Linux driver). I don't expect game consoles like the Xbox and PlayStation systems to need third-party drivers due to the way hardware is controlled by Microsoft and Sony, so I'm having a difficult time with the term "gaming environments" and figuring out what exactly that means.
cortpain - 2 years ago
What it means, reading between the lines from what is in the article, is that PRC state elements got this malware signed and into circulation through presumable Microsoft insiders for the purpose of individual surveillance on Chinese citizens belonging to "gaming environments". That it took a fourth party to identify this case and still the admission had to be coaxed out of MS seems to also imply that it is not the first instance of malware pushed through that channel, or not the first such channel to have been operating with insider access.
fromFirefoxToVivaldi - 2 years ago
But which games exactly were affected? There doesn't seem to be a list anywhere. There are plenty of Chinese games sold in the west.
GT500 - 2 years ago
That's basically what the article says. It doesn't help me understand what "gaming environments" means.
lucky8 - 2 years ago
""gaming environments" is unfortunately rather vague. Are they referring to game distribution systems such as Steam, Epic Games, etc? Or perhaps to games from certain Chinese companies, such as Tencent and their subsidiaries (Epic Games, Riot Games, etc)? Or perhaps to games distributed via the Microsoft Store in Windows 10?
Since the driver was signed by Microsoft it almost certainly means it's for Windows, so we can probably rule out mobile systems running Android and iOS, as well as MacOS and Linux systems (you wouldn't need Microsoft to sign a Linux driver). I don't expect game consoles like the Xbox and PlayStation systems to need third-party drivers due to the way hardware is controlled by Microsoft and Sony, so I'm having a difficult time with the term "gaming environments" and figuring out what exactly that means."
It is Riot game's . The kernel driver has been present and functioning a while ago, when they introduced the Ring0 driver for its "anti-cheat" software
darknite323 - 2 years ago
Do you have any evidence of this?
There is no mention of where the driver was found, if it was distributed by Riot we would have heard something I'd think.
Or have you made this baseless assumption on the fact that this malicious driver as well as Riot's Anti-cheat driver are both Ring0/kernel level drivers?
Fairly likely the driver has been embedded in fake software targeted at Chinese gamers, based on the driver name it was likely part of one of those "make your connection to your favourite online game service faster" software, or likely game cheat/hack tools.