Microsoft approved a Windows driver booby-trapped with rootkit malware

Microsoft on Friday admitted it had signed malicious third-party driver code submitted for certification through its Windows Hardware Compatibility Program.

According to Microsoft, the miscreant behind the subverted driver was focused on computer game players in China, and is not the sort of nation-state-backed group that has been giving Microsoft and its enterprise customers headaches over the past few months.

The rootkit-grade software, once installed on a Windows PC, could be used to circumvent region-based restrictions in games and/or snoop on players to steal their account login credentials as they typed them in. It might be that the person behind the booby-trapped driver intended to distribute the software as a tool for bypassing location checks that also secretly spied on gamers.

"The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere," Microsoft's security team explained. "The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers."

To install the rootkit on a victim's computer, an attacker would already need admin-level access on the box, or would need to convince the user to authorize the driver's installation – which is easier to do when the code is signed by Microsoft.

• SolarWinds backdoor gang pwns Microsoft support agent to turn sights on customers
• Developing for Windows 11: Like developing for Windows 10, but with rounded corners?
• What you need to know about Microsoft Windows 11: It will run Android apps
• Windows 11: Meet the new OS, same as the old OS (or close enough)

The Windows maker, which also on Friday disclosed that the Nobelium group behind the SolarWinds attack compromised a Microsoft support desk account in a separate phishing operation, said it is investigating the unidentified threat actor's efforts to distribute subverted drivers in gaming environments.

"The actor submitted drivers for certification through the Windows Hardware Compatibility Program," Microsoft's security team said in a blog post. "The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware."

Security researcher Karsten Hahn identified the driver as Netfilter, a rootkit that connects to an IP address registered to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, in China. Hahn initially flagged the finding on June 17, 2021.

On the bright side, Microsoft said it has seen no sign that its WHCP signing certificate or infrastructure were compromised. The software giant has updated its Microsoft Defender data to detect and block the devious driver and has shared signature information with other antivirus security vendors so they can tune their detection mechanisms.

Nonetheless, some gamers in China may have been compromised as a result of this driver.

Redmond said it plans, at some point, to share additional details about how it is "refining our partner access policies, validation and the signing process to further enhance our protections." ®