Microsoft has nullified more than 100 different malicious drivers that were originally given valid signatures by its Windows Hardware Compatibility Program (WHCP).
Upon learning of the malicious drivers, Microsoft promptly took action by revoking the certificates associated with them and adding them to the driver revocation list. As a result, the drivers will be blocked from running on Windows systems going forward, limiting their potential impact.
So how did this occur? Security researchers believe that Chinese threat actors found an exploit, realizing they could find an exception to Microsoft's WHCP and receive a signature that they didn't necessarily earn or deserve.
The nefarious drivers, originating from the Chinese cybercrime underground, served various malicious purposes. The researchers identified browser hijackers such as RedDriver, a rootkit-level loader called FiveSys, as well as "endpoint protection killers" designed to bypass security software. The threat actors had also previously deployed many gaming cheats and game-cracking tools, posing a threat to online gaming communities.
Microsoft's WHCP exists to certify drivers and ensure that they run smoothly and reliably on any Microsoft certified hardware. With help from Sophos, Trend Micro, and Cisco, Microsoft was able to identify third-party drivers and their intent of being a cyber threat. These drivers were immediately placed on Microsoft's Windows Driver.STL revocation list, which serves as a banned list of drivers from which Microsoft has revoked signatures.
It was reported by Cisco Talos researchers that the most common tools used in the exploit were titled FuckCertVerify and HookSignTool. These tools have existed for around five years, and they were used to help threat actors sign malicious payloads.
Three threat researchers from Trend Micro released an entry on the investigation, touching on how they initially believed it to be a false detection, but soon after realized it was a "novel piece of signed rootkit that communicates with a large command-and-control infrastructure."
The exploitation of the Windows Hardware Compatibility Program by Chinese threat actors to distribute malicious drivers emphasizes the constant efforts of cybercriminals to find vulnerabilities and bypass security measures. It serves as a reminder that the cybersecurity landscape is constantly evolving, necessitating continuous innovation and adaptation from both software developers and security professionals.
