Please Be Aware About The New Netfilter Driver Rootkits!

Threat actors always keep trying new attack vectors to compromise the target. Here is another example of that. This time hackers tricked Microsoft into signing a malicious Netfilter driver. On 25th Jun, Microsoft confirms that it had a driver signed by the Windows Hardware Compatibility Program (WHCP), which turned to be a malicious Windows rootkit. Please be aware of the new Netfilter driver rootkits.

According to Microsoft, the drivers were submitted for certification through the Windows Hardware Compatibility Program to make it a legit program. Microsoft has suspended the account as soon they determine it was malware and reviewed their submissions for additional signs of malware.

Primary Targets Of The New Netfilter Driver Rootkits:

The study says that the attacks are limited to the gaming sector, specifically in China, and do not appear to target any enterprise environments. “The main goal of the attack is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.”

What Microsoft Says About The New ‘Netfilter Driver Rootkits’:

In addition to this, a cybersecurity researcher, Karsten Hahn from G Data, a German cybersecurity research company, shared more details of the Netfilter driver rootkit, including comprehensive analysis, which would give you a more idea about the malware.

Considering this as a lesson, Microsoft said, it’s going to refine its partner access policies and its validation & signing process to ensure more protections.

IOCs To Detect The New ‘Netfilter Driver Rootkits’

Here are some of the indicators of compromise captured during the investigation of the new Netfilter driver rootkits. We recommend scanning your machine to detect the infections and remove or re-image the system if infected.

C2 IP addresses:

110.42.4[.]18045.113.202[.]18045(.)248.10.244

Identified Files:

63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a140604a269dd0a03e32e5b2a1c8ab0768791962e040d080d44dc44dab01dd7954f2b0856a1da15b2b3e8999bf9fc51bbdedd4051e21fab1302e2ce766180b4931d860c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c50eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a140612656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df12c0002af719c6abbc1e726b409fce099fffb90f758477f5295c152bde504caa16b6be03495a4f4cf394194566bb02061fba2256cc04dcbde5aa6a17e41b765018b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac11aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff431cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af1d1f7e26109e6cb28c6b369c937b407d7b0cce3c4800ce9852eda94742b122591d60819f0ab8547dcd4eb18d39a0c317ec826332afa19c0a6af94bc681a21f141f05f74ebae7e65d389703d423445ffb269e657d8278b0523417e1f72b0228eb1f90d9c4d259c1fde4c7bb66a95d71ea0122e4dfb75883a6cb17b5c80ce6d18a22da5a055b7b17c69def9f5af54e257c751507e7b6b9a835fcf6245ab90ae75022f6fe6bd62fb03f7aee489cccbc918999f49596052ac0153c02cd7a3320de1323c061933d471c1f959c77806098ec0528d9b1d0130689bb3f417dd84313846824ea733bae1b8722841fb4c6cead93c4c4f0b1248ca9a21601b1ce6b95b0686426d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe26f2b9cf6e0fb50bad49a367bee63e808f1d53c476b38642d13c7db6e50687f42fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3314affdc86f62c8f8069ccd50a2cdf73bcd319773a031be700ba97a1ea4129a834c890fa43ca0e5165a4960549828ba43d7f48a216a22fc46204548ebfc34f723700b38d63d426ff0a985226b45eca6e24d052f4262d12aff529e62c2cb889c340c45c9b1c764777096b59f99ae524cbd25b88c805187e615c3ed6840f3d4c1545ee083e28fbb33afa41b1b8cd00d94c29dea8cb7cee70bae4079e6c3dfb55014ce61ad21f186cf10dbcc253feee31262203cb5c12c5a140d2dda5447c57aba1516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a135cb1dc26159c6700d6cadece63f6defda642ec1a6d324daefb0965b4e3746f705d0d5373c5e52c4405f4bd963413e6ef3490b7c4c919ec2d4e3fb92e91f397a062d7c5465852cdb7b59a86c20b4de5991c8f4820ce11a7c01cf0dde6032e500d630d7bdc20f33e6f822f52533a324865694886b7b74dfaad1dc30c9aee4260a2635273eaa4c2e20c4ec320c6c8447ce2e881984e97c9ed6aeec4fad16b934e8163d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0640eeb3128ae5c353034ee29cb656d38c41353743396c1c936afd4d04a7820876703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c06a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe16606a6db5febdaf3f1577bf97c6e1e24913e6c78b134062c02fd1f9875099c03a3f6c7f24d8ed000bc7ce842e4875b467f9de1626436e051bd351adf1f6f8bbacf870b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c779e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e36177ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a48249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc0798708e0b330a8df3076153638f5b76afc24d1083ebccc60e4d63ee0df5c11c45d58a93d99a5fbfc888c0a40a18946933121ae110229dcf206b4d17116a57e7cf4dc997030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c9b55b35284346bbcdc2754e60517e1702f0286770a080ee6ff3e7eed1cab812a9f9315790d0b0cc5213ac9a8eff0968cccc0a6c469b50d6598ce759748fe74bf9f9ebd6cd9b5b33ab2780122ee9c5feec84927f362890a062d13ef9816c7b85fa0050c33c8263da02618872d642617959b3564fe173985e078bfedb89df93724aa97f4f98ff842b1bfd78e920fcb1dedaec3f882dd19311bba6037430868e7a7ad2dd8a68ce22d0959f341e9269e8033b34362b34bdea50b8ee2390907f1a610b2cdcca011064d03ddd8fe3521ce0e9f9d8b16f63e4ecaf03eacfef47d22dbfb7516dca419d087ef844c42e061a834908f34e7363577ab128094973896222c8b847e717215e0198cb4e863bd96390613f83eb92693171be50ca14255c5fb088bbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9abfb4603902c6c9ff32bc36113280ee8b5687cc3ef4c0ff9fc56f2925c7f342f0c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99c2f23ad4e2f12c490cfd589764464e293d5d56c31b6b3f5081e2d677384cb2fec95af9eb52111b72563875d85d593d96d7e54e19690827a052377c77cc80e06fcaa0d9bb7ed2d21a76b71dfc22ffaef80371de8af2a03b8103cbcec332897a88d0e1639e6386ef3c063bfae334fcc35cdfa85068ac1a65bb58f2463276c31ac9d1ac4d07ba6fe1dd988c471975e49e35b83d03a9b9d626fa524fd8300b80b14ad4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8d60fdabaf5a0ab375361d2ed1a9b39832bdb8bd33466d6c43d42a48ba2ffd274e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37e2449ccc74e745c0339850064313bdd8dc0eff17b3a4e0882184c9576ac93a89e8e7f2f889948fd977b5941e6897921da28c8898a9ca1379816d9f3fa9bc40ffedc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577edee6d0d0ea24be622521ee1a4defa5d5729b99ee2217ac65701d38d05dbc0d4e6f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670cafd8a5313bf63f5013dc126620276fb4f0ef26416db48ee88cbaaca4029df1d73

Thanks for reading the threat post. Please share this with Windows users and make them be aware of this malware.