Trend Micro researchers have a report on a signed rootkit that communicates with a large C&C infrastructure whose main victims are the gaming sector in China. The malware appears to have passed through the Windows Hardware Quality Labs (WHQL) process for getting a valid signature. Which to me is mind-blowing. I’ll explain why in a moment.
The malware goes to great lengths to remain stealthy and take control of the target systems, most of which should set off red flags:
- Disables the User Account Control (UAC) and Secure Desktop mode
- Initializes Winsock Kernel objects for initiating network comms with the C&C server
- Periodically connects to the C&C server, retrieves and decrypts new payloads and loads them directly into memory (never touching the disk to bypass detections)
- Plug-ins modify the Registry to achieve persistence, disarm Microsoft Defender Antivirus, and deploy a proxy on the machine, redirecting web browsing traffic to a remote proxy
Dave Ratner, CEO, HYAS had this to say:
“This is yet another example where having visibility into anomalous communication to command-and-control structures, aka adversary infrastructure, is a vital part of a defense-in-depth strategy and a key component of the overall security stack. If organizations haven’t yet deployed Protective DNS across their infrastructure and environments, they should make plans to do so immediately.”
Why this blows my mind is simple. The whole point of having signed drivers is to stop this scenario dead. But it seems that somehow the threat actors managed to take advantage of the WHQL process to execute their plans. Hopefully Microsoft can do something to make this scenario far less likely in the future.