A newly identified rootkit was signed with a valid digital signature issued by Microsoft. For over a year, it targeted Chinese gamers and was able to transfer traffic to attackers’ websites.
Dubbed FiveSys and first identified by Bitdefender, was spotted stealing credentials and in-game purchases.
Microsoft has revoked the signature certificate following a responsible disclosure by Bitdefender.
“Digital signatures are a way of establishing trust,” Bitdefender researchers said in a paper. “A valid digital signature helps the attacker navigate around the operating system’s restrictions on loading third-party modules into the kernel. Once loaded, the rootkit allows its creators to gain virtually unlimited privileges.”
A rootkit is a type of software that draws on the existing infrastructure of a victim’s system to carry out its malicious actions. It can hide itself from the OS and provide to threat actors an extended persistence level.
FiveSys is a type of malware that tries to redirect HTTP and HTTPS traffic to a rogue server that’s controlled by an attacker. It uses a custom proxy server to do so. Often, the rootkit operators also use a variety of techniques to prevent drivers from competing groups from loading, like a signature blocklist of stolen certificates:
“To make potential takedown attempts more difficult, the rootkit comes with a built-in list of 300 domains on the ‘.xyz’ [top-level domain],” the researchers noted. “They seem to be generated randomly and stored in an encrypted form inside the binary.”
This is the second time that a malicious driver with valid digital signatures has slipped through the cracks of Microsoft.
In June 2021, German cybersecurity company G Data reported another rootkit called Netfilter (called “Retliften” by Microsoft). It was also designed to target gamers in China.
For all the technical details and a full list of indicators of compromise, read the “Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions” whitepaper.