Malware is dangerous enough as it is. But those that appear harmless as they carry some form of indicators of legitimacy on them are probably the worst of the kind. Such is the case with a new malicious driver called “FiveSys“.
Security researchers over at Bitdefender found that this new malware, which is a rootkit, actually is digitally signed by Microsoft itself. The FiveSys malicious driver carries the Windows Hardware Quality Labs (WHQL) certification that is provided by Microsoft after careful verification of the driver packages sent in by its various partner vendors through the Windows Hardware Compatibility Program (WHCP).
Below, Bitdefender has explained why the FiveSys rootkit exists and how it functions:
The purpose of the rootkit is straightforward: it aims to redirect the internet traffic in the infected machines through a custom proxy, which is drawn from a built-in list of 300 domains. The redirection works for both HTTP and HTTPS; the rootkit installs a custom root certificate for HTTPS redirection to work. In this way, the browser doesn’t warn of the unknown identity of the proxy server.
It has been observed that FiveSys’ spread is so far limited only to China possibly indicating that the threat actors are primarily interested in that part of the region. In terms of other key characteristics, the associated whitepaper also mentions that the rootkit blocks registry modifications and tries to block its competitors’ access to an infected system.
Besides redirecting internet traffic, the rootkit also blocks loading of drivers from other malware writing groups, as they are probably attempting to limit competitor threat actors’ access to the compromised system.
Bitdefender says that after alerting Microsoft of this malicious rootkit, it has removed its signature from FiveSys.
Interestingly, this isn’t the first time such a thing has happened in recent memory. A similar malware called “Netfilter” was also validated by Microsoft back in June likely in a similar fashion.