FiveSys, a New Malicious Microsoft-Signed Rootkit

FiveSys, a New Malicious Microsoft-Signed Rootkit

A newly identified rootkit was signed with a valid digital signature issued by Microsoft. For over a year, it targeted Chinese gamers and was able to transfer traffic to attackers’ websites.

Dubbed FiveSys and first identified by Bitdefender, was spotted stealing credentials and in-game purchases.

Microsoft has revoked the signature certificate following a responsible disclosure by Bitdefender.

“Digital signatures are a way of establishing trust,” Bitdefender researchers said in a paper. “A valid digital signature helps the attacker navigate around the operating system’s restrictions on loading third-party modules into the kernel. Once loaded, the rootkit allows its creators to gain virtually unlimited privileges.”

A rootkit is a type of software that draws on the existing infrastructure of a victim’s system to carry out its malicious actions. It can hide itself from the OS and provide to threat actors an extended persistence level.

FiveSys is a type of malware that tries to redirect HTTP and HTTPS traffic to a rogue server that’s controlled by an attacker. It uses a custom proxy server to do so. Often, the rootkit operators also use a variety of techniques to prevent drivers from competing groups from loading, like a signature blocklist of stolen certificates:

“To make potential takedown attempts more difficult, the rootkit comes with a built-in list of 300 domains on the ‘.xyz’ [top-level domain],” the researchers noted. “They seem to be generated randomly and stored in an encrypted form inside the binary.”

This is the second time that a malicious driver with valid digital signatures has slipped through the cracks of Microsoft.

In June 2021, German cybersecurity company G Data reported another rootkit called Netfilter (called “Retliften” by Microsoft). It was also designed to target gamers in China.

For all the technical details and a full list of indicators of compromise, read the “Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions” whitepaper.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.