Microsoft signed a malicious Netfilter rootkit

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
From Karsten Hahn @struppigel :
What started as a false positive alert for a Microsoft signed file turns out to be a WFP application layer enforcement callout driver that redirects traffic to a Chinese IP. How did this happen?

Last week our alert system notified us of a possible false positive because we detected a driver[1] that was signed by Microsoft. Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system. Drivers without a Microsoft certificate cannot be installed by default.

In this case the detection was a true positive, so we forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation. At the time of writing it is still unknown how the driver could pass the signing process.
 

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
Then Can we expect other malware with ms signature?
Probably as Microsoft signs a lot of hardware vendors drivers over in China
Won’t be surprised if they mistakenly sign a malicious one

That was fast that you posted this :D
Waiting for more information you and your friends could gather about this SSIRP Girard malware or whatever it’s called

Anyway any update from Microsoft land ?
Or are they too busy copycating Mac OS for windows 11 lol
 

The_King

Level 12
Verified
Top Poster
Well-known
Aug 2, 2020
542
Microsoft has now confirmed signing a malicious driver being distributed within gaming environments.

This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs.

G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec. community in tracing and analyzing the malicious drivers bearing the seal of Microsoft.

It turns out, the C2 infrastructure belongs to a company classified under "Communist Chinese military" by the US Department of Defense.

This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process.

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top