Microsoft confirms it signed a rootkit driver

Microsoft acknowledges that it has signed a driver that contains a rootkit. The company is currently investigating this rootkit, which Microsoft says was only deployed in the Chinese gaming sector.

Microsoft confirms a blog post that the actor behind the rootkit, which is called Netfilter, sent the driver for validation, after which Microsoft signed it. The actor has submitted drivers for certification through the Windows Hardware Compatibility Program. “The drivers were created by a third party. We suspended the account and reviewed the submitted drivers for additional signs of malware.”

Microsoft claims that the actor behind this rootkit is only active in the ‘Chinese gaming sector’. According to the tech giant, there are no indications that Netfilter was used to compromise corporate environments. The company also reports that it does not yet attribute the attack to a state hacker. Microsoft writes that users should not take any measures other than “following good security measures and deploying antivirus software.”

“The goal of the actor is to use the driver to spoof their geolocation to cheat the system and play anywhere,” Microsoft said. As a result, the malware would allow them to “gain an advantage in games” and “potentially exploit other players by stealing their accounts through tools such as keyloggers.”

The signed rootkit driver was spotted last Friday by G-Data, a German cybersecurity company that makes antivirus software, among other things. The malware communicates with Chinese servers. “The main functionality of the rootkit driver is traffic redirection,” the company wrote. The rootkit can also update itself.

Since Windows Vista, code running in kernel mode must first be signed by Microsoft before being released. Drivers without a Microsoft certificate cannot be installed by default. G-Data was therefore recently notified of a possible false alarm because its anti-virus software detected a Netfilter driver signed by Microsoft.

“But in this case, the detection was really positive, so we forwarded our findings to Microsoft, who quickly added the malware to Windows Defender and is conducting an internal investigation,” said G-Data.

The signed Netfilter driver. Source: G Data