Researchers have identified a rootkit called FiveSys, with a valid digital signature from Microsoft, that is being used to redirect traffic to an attacker-controlled custom proxy server and is likely operated by a threat actor with significant interest in China’s gaming market. The rootkit has been targeting users for over a year and the primary motivation for its use appears to be credential theft and in-app purchase hijacking.
“Rootkits are some of the most powerful and most coveted tools in a cybercrime group’s arsenal because they enable full control of the compromised device,” said Bogdan Botezatu, Director of Threat Research and Reporting at Bitdefender. “One of the most effective ways for attackers to achieve this level of control is by sneaking rootkits through a company’s third-party software validation program, just like attackers are targeting Microsoft’s driver certification process. Similarly, Android malware developers are trying to sneak malicious content into official mobile app markets.”
FiveSys is the second Microsoft-signed malware that security researchers have publicly reported in recent months. In June, G-Data announced it had observed a rootkit named Netfilter that, like FiveSys, targeted gamers in China. Both rootkits are similar in that they somehow made it past Microsoft’s driver certification program and targeted the same type of environment. However, the two malware families appear unrelated, according to Botezatu.
In a recent report, Bitdefender described its researchers observing a surge in malicious drivers with valid digital signatures issued by Microsoft in the past few months. The vendor said it expects to see more of them in the months ahead. Microsoft’s WHQL testing is part of the company’s Windows hardware compatibility program. The program is designed to ensure drivers and other third-party software developed for Windows computers are fully compatible with Microsoft technology. Since 2016, the company has insisted on validating and signing all drivers themselves as a security precaution.
(All information was provided by Dark Reading)
0 comments on “Microsoft Signed FiveSys Rootkit Targets Gamers In China”