Table of Contents
  • Home
  • /
  • Blog
  • /
  • Please Be Aware About The New Netfilter Driver Rootkits!
June 30, 2021
|
3m

Please Be Aware About The New Netfilter Driver Rootkits!


Please Be Aware About The New Netfilter Driver Rootkits

Threat actors always keep trying new attack vectors to compromise the target. Here is another example of that. This time hackers tricked Microsoft into signing a malicious Netfilter driver. On 25th Jun, Microsoft confirms that it had a driver signed by the Windows Hardware Compatibility Program (WHCP), which turned to be a malicious Windows rootkit. Please be aware of the new Netfilter driver rootkits.

According to Microsoft, the drivers were submitted for certification through the Windows Hardware Compatibility Program to make it a legit program. Microsoft has suspended the account as soon they determine it was malware and reviewed their submissions for additional signs of malware.

Primary Targets Of The New Netfilter Driver Rootkits:

The study says that the attacks are limited to the gaming sector, specifically in China, and do not appear to target any enterprise environments. “The main goal of the attack is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.”

What Microsoft Says About The New ‘Netfilter Driver Rootkits’:

  • The new Netfilter driver rootkits were capable of retrieve configuration information, IP redirection, self-update function, and retrieve the root certificate from its C2 servers after the installation.

  • There is a couple of important points to note about this: It’s a post-exploitation attack. An attacker should already have admin access to update the registry and install Netfilter driver rootkits on the machine.

  • After the investigation, Microsoft has confirmed that no evidence was found that tells that the WHCP signing certificate was compromised.

In addition to this, a cybersecurity researcher, Karsten Hahn from G Data, a German cybersecurity research company, shared more details of the Netfilter driver rootkit, including comprehensive analysis, which would give you a more idea about the malware.


Considering this as a lesson, Microsoft said, it’s going to refine its partner access policies and its validation & signing process to ensure more protections.

IOCs To Detect The New ‘Netfilter Driver Rootkits’

Here are some of the indicators of compromise captured during the investigation of the new Netfilter driver rootkits. We recommend scanning your machine to detect the infections and remove or re-image the system if infected.

C2 IP addresses:

110.42.4[.]18045.113.202[.]18045(.)248.10.244

Identified Files:

63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a140604a269dd0a03e32e5b2a1c8ab0768791962e040d080d44dc44dab01dd7954f2b0856a1da15b2b3e8999bf9fc51bbdedd4051e21fab1302e2ce766180b4931d860c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c50eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a140612656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df12c0002af719c6abbc1e726b409fce099fffb90f758477f5295c152bde504caa16b6be03495a4f4cf394194566bb02061fba2256cc04dcbde5aa6a17e41b765018b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac11aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff431cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af1d1f7e26109e6cb28c6b369c937b407d7b0cce3c4800ce9852eda94742b122591d60819f0ab8547dcd4eb18d39a0c317ec826332afa19c0a6af94bc681a21f141f05f74ebae7e65d389703d423445ffb269e657d8278b0523417e1f72b0228eb1f90d9c4d259c1fde4c7bb66a95d71ea0122e4dfb75883a6cb17b5c80ce6d18a22da5a055b7b17c69def9f5af54e257c751507e7b6b9a835fcf6245ab90ae75022f6fe6bd62fb03f7aee489cccbc918999f49596052ac0153c02cd7a3320de1323c061933d471c1f959c77806098ec0528d9b1d0130689bb3f417dd84313846824ea733bae1b8722841fb4c6cead93c4c4f0b1248ca9a21601b1ce6b95b0686426d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe26f2b9cf6e0fb50bad49a367bee63e808f1d53c476b38642d13c7db6e50687f42fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3314affdc86f62c8f8069ccd50a2cdf73bcd319773a031be700ba97a1ea4129a834c890fa43ca0e5165a4960549828ba43d7f48a216a22fc46204548ebfc34f723700b38d63d426ff0a985226b45eca6e24d052f4262d12aff529e62c2cb889c340c45c9b1c764777096b59f99ae524cbd25b88c805187e615c3ed6840f3d4c1545ee083e28fbb33afa41b1b8cd00d94c29dea8cb7cee70bae4079e6c3dfb55014ce61ad21f186cf10dbcc253feee31262203cb5c12c5a140d2dda5447c57aba1516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a135cb1dc26159c6700d6cadece63f6defda642ec1a6d324daefb0965b4e3746f705d0d5373c5e52c4405f4bd963413e6ef3490b7c4c919ec2d4e3fb92e91f397a062d7c5465852cdb7b59a86c20b4de5991c8f4820ce11a7c01cf0dde6032e500d630d7bdc20f33e6f822f52533a324865694886b7b74dfaad1dc30c9aee4260a2635273eaa4c2e20c4ec320c6c8447ce2e881984e97c9ed6aeec4fad16b934e8163d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0640eeb3128ae5c353034ee29cb656d38c41353743396c1c936afd4d04a7820876703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c06a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe16606a6db5febdaf3f1577bf97c6e1e24913e6c78b134062c02fd1f9875099c03a3f6c7f24d8ed000bc7ce842e4875b467f9de1626436e051bd351adf1f6f8bbacf870b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c779e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e36177ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a48249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc0798708e0b330a8df3076153638f5b76afc24d1083ebccc60e4d63ee0df5c11c45d58a93d99a5fbfc888c0a40a18946933121ae110229dcf206b4d17116a57e7cf4dc997030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c9b55b35284346bbcdc2754e60517e1702f0286770a080ee6ff3e7eed1cab812a9f9315790d0b0cc5213ac9a8eff0968cccc0a6c469b50d6598ce759748fe74bf9f9ebd6cd9b5b33ab2780122ee9c5feec84927f362890a062d13ef9816c7b85fa0050c33c8263da02618872d642617959b3564fe173985e078bfedb89df93724aa97f4f98ff842b1bfd78e920fcb1dedaec3f882dd19311bba6037430868e7a7ad2dd8a68ce22d0959f341e9269e8033b34362b34bdea50b8ee2390907f1a610b2cdcca011064d03ddd8fe3521ce0e9f9d8b16f63e4ecaf03eacfef47d22dbfb7516dca419d087ef844c42e061a834908f34e7363577ab128094973896222c8b847e717215e0198cb4e863bd96390613f83eb92693171be50ca14255c5fb088bbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9abfb4603902c6c9ff32bc36113280ee8b5687cc3ef4c0ff9fc56f2925c7f342f0c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99c2f23ad4e2f12c490cfd589764464e293d5d56c31b6b3f5081e2d677384cb2fec95af9eb52111b72563875d85d593d96d7e54e19690827a052377c77cc80e06fcaa0d9bb7ed2d21a76b71dfc22ffaef80371de8af2a03b8103cbcec332897a88d0e1639e6386ef3c063bfae334fcc35cdfa85068ac1a65bb58f2463276c31ac9d1ac4d07ba6fe1dd988c471975e49e35b83d03a9b9d626fa524fd8300b80b14ad4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8d60fdabaf5a0ab375361d2ed1a9b39832bdb8bd33466d6c43d42a48ba2ffd274e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37e2449ccc74e745c0339850064313bdd8dc0eff17b3a4e0882184c9576ac93a89e8e7f2f889948fd977b5941e6897921da28c8898a9ca1379816d9f3fa9bc40ffedc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577edee6d0d0ea24be622521ee1a4defa5d5729b99ee2217ac65701d38d05dbc0d4e6f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670cafd8a5313bf63f5013dc126620276fb4f0ef26416db48ee88cbaaca4029df1d73

Thanks for reading the threat post. Please share this with Windows users and make them be aware of this malware.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Threats

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe