Cybercriminals have found a way to get their malware certified by Microsoft
Rootkit authors may have found a way to abuse the digital signing process, security researchers reason
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Cybersecurityresearchers have discovered yet another rootkit that has abusedMicrosoft’s Windows Hardware Quality Labs (WHQL) signing process.
Researchers at security vendorBitdefenderhave uncovered the FiveSys rootkit, which is the second rootkit they’ve run into that has managed to make its way through Microsoft’s driver certification process.
“Most of the rootkit cases we documented in the past rely on stolen digital certificates from legitimate companies, so up until recentlymalwarewriters used stolen digital certificates to sign their drivers,”observed Bitdefender, noting the change in tactics.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
Click here to start the survey in a new window«
According to their analysis, FiveSys seems to be designed to targetonline gamesin order to steal their credentials and hijack in-game purchases.
Abusing the process
Bitdefender believes that FiveSys, and the Netfilter rootkit, which was the first one to abuse Microsoft’s digital signing process, aren’t isolated incidents, and perhaps point towards a new trend of malware using WHQL signatures.
The basis for their argument are the lucrative new driver signing requirements from Microsoft, which demand drivers to be digitally signed by the company in order for them to be accepted byWindows.
“This new requirement ensures that all drivers are validated and signed by theoperating systemvendor rather than the original developer and, as such, digital signatures offer no indication as to the identity of the real developer,” says Bitdefender suggesting that submitting to the process helps the threat actors hide their identity.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
While their motivations seem to be clear, how exactly they managed to work around the certification process to obtain legitimate certificates, continues to remain a mystery.
Soon after discovering the malware though, Bitdefender reached out to Microsoft to flag this abuse of digital trust, leading to the software giant revoking the signature.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Anker Nebula Mars 3 review: A powerful and truly portable projector
