Home News Microsoft Inadvertently Signed Netfilter Loaded with Rootkit Malware

Microsoft Inadvertently Signed Netfilter Loaded with Rootkit Malware

Attackers tricked Microsoft into signing malicious Netfilter drivers, with rootkit malware, targeting gamers in East Asian countries.

WhisperGate malware campaign, Flagpro malware, MosaicLoader Malware, drinik

Cyberattacks continue to evolve as threat actors often find or create new hacking methods to break into targeted organizational networks. Recently, Microsoft stated that unknown attackers are spreading malicious drivers loaded with rootkit malware via Windows systems. The technology giant stated the malicious driver “Netfilter” is found communicating with command-and-control (C2) servers hosted in China. The driver is allegedly targeting gaming environments in East Asian countries, manipulating the geo-locations of the gamers to play from anywhere.

Microsoft stated the attacker submitted the malicious driver for certification via the Windows Hardware Compatibility Program (WHCP). The drivers are suspended and under investigation to find any additional signs of malware. The malware allows threat actors to exploit other gamers by compromising their accounts via common hacking tools like keyloggers.

Cybercriminals used advanced techniques in this campaign which are used post-exploitation. “It’s important to understand that the techniques used in this attack occur post-exploitation, meaning an attacker must either have already gained administrative privileges to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf,” Microsoft said.

Indicators of compromise

  • 42.4[.]180
  • 113.202[.]180

While the threat actors behind this campaign are still unknown, Microsoft stated that the investigation is still ongoing. “We will be sharing an update on how we are refining our partner access policies, validation, and the signing process to further enhance our protection. There are no actions customers should take other than follow security best practices and deploy Antivirus software such as Windows Defender for Endpoint. By sharing the information we’ve learned with this report, we are raising awareness of these techniques so that more protections can be built-in across the industry and to increase the degree of difficulty for attackers,” Microsoft added.

Video Gamers – The Primary Targets  

Research from Akamai Technologies reveals a surge in web application attacks on video gamers during the pandemic. It stated that the gaming industry sustained more than 240 million web application attacks in 2020, which is a 340% surge from 2019. The research also highlighted the global crises that resulted in the rise of cyberattack traffic in the gaming industry. Read More Here