In a statement on Friday, Microsoft said it was investigating an incident where a Windows driver was found to be a malicious rootkit communicating with command-and-control (C2) servers located in China.
The driver, which is referred to as Netfilter, is said to work by spoofing a gamer’s geo-location to allow them to play from anywhere.
The actor can also hijack other players’ accounts by stealing credentials with keyloggers:
“The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers,” Microsoft Security Response Center (MSRC) said.
A rogue code signing that appeared to come from a developer who used a rootkit to install Netfilter on a system was spotted by a security researcher from a cybersecurity company G Data. The driver was able to retrieve configuration information from a C2 server, which allowed it to perform various actions, such as IP redirection, receive a root certificate, and self-update the malware.
The oldest sample of Netfilter that was detected on VirusTotal dates to March 17, 2021, according to Johannes Hahn.
Microsoft said that it suspended the account of the actor who uploaded the malicious driver through the Windows Hardware Compatibility Program (WHCP).
According to Microsoft, the techniques used in the attack are post-exploitation, which means that the attacker must have administrative privileges before they could execute the exploit.
In response to the growing number and sophistication of attacks, the company has planned to improve its partner access policies and processes. It also intends to enhance the protections against exploitation.
“The security landscape continues to rapidly evolve as threat actors find new and innovative methods to gain access to environments across a wide range of vectors,” MSRC said, once again highlighting how legitimate processes can be exploited by threat actors to facilitate large-scale software supply chain attacks.