On Friday, Microsoft admitted that it had signed malicious third-party driver code sent for certification through its Windows Hardware Compatibility Program.
According to Microsoft, the villain behind the undermined driver was focused on computer gamers in China and is not part of the state-backed group that has been creating headaches for Microsoft and its corporate customers for the past few months.
Once installed on a Windows computer, rootkit-level software can be used to circumvent regional restrictions on games and / or eavesdrop on players to steal their login credentials while they have entered them. It is possible that the trapped person is designed to distribute the software as a tool to circumvent location checks, which have also been secretly spied on by gamers.
“The actor’s goal is to use the driver to trick their geolocation, to trick the system, and to play everywhere,” Microsoft’s security team explained. “Malicious software allows them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools such as keyloggers.”
To install rootkits on the victim’s computer, the attacker will now need administrator-level access in the box or will have to persuade the user to allow the driver to be installed – which is easier to do when the code is signed by Microsoft.
The manufacturer of Windows, which also on Friday revealed that the group Nobelium behind the attack on SolarWinds compromised A Microsoft support bureau account in a separate phishing operation said it was investigating an unidentified participant’s efforts to threaten to distribute hidden drivers in gaming environments.
“The actor sent drivers for certification through the Windows Hardware Compatibility Program,” Microsoft’s security team said in a statement. blog post. “The drivers were created by a third party. We have suspended the account and reviewed their suggestions for additional signs of malware. “
Security researcher Carsten Hahn identifies the driver such as Netfilter, a rootkit that connects to an IP address registered on Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, in China. Khan initially signaled the find on June 17, 2021.
Microsoft’s better side said it saw no signs that its WHCP signing certificate or infrastructure had been compromised. The software giant is updating its data on Microsoft Defender to detect and block the rogue driver and share signature information with other antivirus protection providers so they can set up their detection mechanisms.
However, some gamers in China may be compromised as a result of this driver.
Redmond said he plans to share further details at some point on how he “improves our partner access policies, validation and signing process to further improve our protection.” ®