Hackers Trick Microsoft Into Signing Netfilter Driver Loaded With Rootkit Malware

Microsoft on Friday said it can be investigating an incident whereby a driver signed by the company turned out to be a malicious Windows rootkit that was observed communicating with command-and-control (C2) servers situated in China.

The driver, known as “Netfilter,” is claimed to target gaming environments, exclusively in the East Asian region, with the Redmond-based mostly company noting that “the actor’s goal is to use the driver to spoof their geo-locale to cheat the system and participate in from anyplace.”

Stack Overflow Teams

“The malware enables them to acquire an edge in games and potentially exploit other players by compromising their accounts through common resources like keyloggers,” Microsoft Security Reaction Center (MSRC) stated.

The rogue code signing was spotted by Karsten Hahn, a malware analyst at German cybersecurity organization G Knowledge, who shared added specifics of the rootkit, including a dropper, which is applied to deploy and install Netfilter on the system.


Upon prosperous set up, the driver was observed to build relationship with a C2 server to retrieve configuration facts, which made available a selection of functionalities these types of as IP redirection, among the other abilities to receive a root certification and even self-update the malware.


The oldest sample of Netfilter detected on VirusTotal dates again to March 17, 2021, Hahn stated.

Enterprise Password Management

Microsoft observed that the actor submitted the driver for certification as a result of the Windows Components Compatibility Program (WHCP), and that the motorists were being developed by a third-get together. The enterprise has given that suspended the account and reviewed its submissions for additional signs of malware.

The Home windows maker also stressed that the procedures employed in the attack come about post-exploitation, which necessitates that the adversary will have to have experienced beforehand attained administrative privileges so as to be capable to set up the driver all through system startup or trick the user into doing it on their behalf.

On top of that, Microsoft said it intends to refine its associate entry policies as nicely as its validation and signing procedure to increase protections even more.

“The protection landscape carries on to rapidly evolve as menace actors uncover new and impressive techniques to achieve access to environments across a broad range of vectors,” MSRC stated, at the time all over again highlighting how legitimate processes can be exploited by risk actors to facilitate massive-scale application supply chain attacks.

Fibo Quantum