Microsoft is investigating an incident involving a driver signed by the company that turned out to be a malicious Windows rootkit distributed within gaming environment in China.
The tech giant was alerted about the issue by G DATA Software security analyst Karsten Hahn, who said his company received a false-positive alert from a driver named ‘Netfilter’ that was signed by Microsoft. The investigation into the matter revealed that the positive was valid. The Netfilter driver signed by Microsoft was redirecting traffic bound for hundreds of IP addresses to a server in China.
Once installed, the driver contacts its command and control server to retrieve configuration information. The malware has a number of features, such as IP redirection, ability to receive a root certificate and has a self-update mechanism.
According to Microsoft, the malicious driver built by a third party was submitted for certification through the Windows Hardware Compatibility Program. The company has since suspended the account and reviewed their submissions for additional signs of malware.
“The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time. The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers,” the company said.
Microsoft also noted that the techniques employed in this attack occur post exploitation, which means an attacker must have administrative privileges to be able to run the installer to update the registry and install the malicious driver the next time the system boots, or they need to trick the user into doing it on their behalf.
The Windows maker said it intends to refine its partner access policies, validation and the signing process to further enhance protections.