Site icon The IT Nerd

Stealthy Microsoft-Signed Rootkit Target The Gaming Sector


Trend Micro researchers have a report on a signed rootkit that communicates with a large C&C infrastructure whose main victims are the gaming sector in China. The malware appears to have passed through the Windows Hardware Quality Labs (WHQL) process for getting a valid signature. Which to me is mind-blowing. I’ll explain why in a moment.

The malware goes to great lengths to remain stealthy and take control of the target systems, most of which should set off red flags:

Dave Ratner, CEO, HYAS had this to say:

“This is yet another example where having visibility into anomalous communication to command-and-control structures, aka adversary infrastructure, is a vital part of a defense-in-depth strategy and a key component of the overall security stack.  If organizations haven’t yet deployed Protective DNS across their infrastructure and environments, they should make plans to do so immediately.”

Why this blows my mind is simple. The whole point of having signed drivers is to stop this scenario dead. But it seems that somehow the threat actors managed to take advantage of the WHQL process to execute their plans. Hopefully Microsoft can do something to make this scenario far less likely in the future.

Exit mobile version