News

Hackers Deploy Microsoft Digital Signature in Rootkit Attack

• By Chris Paoli
• 10/22/2021

The rootkit FiveSys has been able to gain access to targeted systems thanks to the inclusion of a legitimate-looking Microsoft Windows Hardware Quality Labs Testing (WHQL) driver certificate.

The discovery was made by security firm Bitdefender, which noticed an uptick in malicious drivers with valid signatures. The firm said that the rootkit in question allows for attackers to bypass security to access and control a targeted system by rerouting HTTP and HTTPS traffic to domains on attacker-controlled proxy servers.

Bitdefender published its findings in a whitepaper this week, and says the inclusion of the compromised WHQL certificate is similar to that leveraged in the Netfilter rootkit, which was identified earlier this year. FiveSys is the second rootkit with the Microsoft certificate, and Bitdefender said that we are on the verge of seeing more attacks using legitimate driver certificates. Per the company's whitepaper:

The reason for this might be the new Driver Signing requirements from Microsoft, which demand drivers to be digitally signed by Microsoft before acceptance by the operating system. This new requirement ensures that all drivers are validated and signed by the operating system vendor rather than the original developer and, as such, digital signatures offer no indication as to the identity of the real developer.

The security firm has yet to identify how exactly attackers are bypassing the new requirements.

According to Bitdefender, FiveSys originated in China and has been seen mostly targeting online game players originating from the country. The security firm said the ultimate goal is to take control of credentials in the games to make in-game purchases. So far, FiveSys has not been spotted in the wild outside of China.

What makes this rootkit difficult to take down is the random nature in which it reroutes compromised traffic. "To make potential takedown attempts more difficult, the rootkit comes with a built-in list of 300 domains on the '.xyz' TLD," said Bitdefender. "They seem to be generated randomly and stored in an encrypted form inside the binary."

That makes identifying and shutting down the domains difficult, due to the random pattern. For its part, Bitdefender immediately reached out to Microsoft about the use of the WHQL driver certificate. Shortly after, Microsoft revoked the signature.  

While Microsoft has yet to comment on this latest rootkit attack, the company did comment in June, in reference to the Netfilter rootkit that used the same WHQL driver certificate, that the signature was created by a third party, and was not obtained through a flaw on Microsoft's side.

"We have seen no evidence that the WHCP signing certificate was exposed," said Microsoft. "The infrastructure was not compromised. In alignment with our Zero Trust and layered defenses security posture, we have built-in detection and blocking of this driver and associated files through Microsoft Defender for Endpoint."