December 9, 2023

Microsoft confirmed that it gave its seal of approval to Netfilter, a malicious driver used to distribute rootkit malware, as part of its Windows Hardware Compatibility Program (WHCP).

Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system. Without signing it should not be public

Attackers sometimes attempt to compromise the WHCP signing certificate. It’s much easier to distribute malware that appears to have been signed. Microsoft said the Netfilter driver was legitimately signed as part of the WHCP.

This mistake is characterized as a “supply-chain fiasco” because it showed even rootkit malware can receive Microsoft’s approval via the WHCP.

Microsoft says this attack was only effective post exploitation because “an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf.”. also this issue is limited to gaming sector in china. This malware enable gaining access to the games and compromising other playes with keyloggers

Microsoft said it has suspended the account of an unidentified third party who built the Netfilter driver, blocked the driver via Microsoft Defender for Endpoint, and shared information “with other AV security vendors so they can proactively deploy detections” to their products.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.