Microsoft WHQL-signed FiveSys driver was actually malware in disguise


Level 53
Content Creator
Apr 24, 2016
Malware is dangerous enough as it is. But those that appear harmless as they carry some form of indicators of legitimacy on them are probably the worst of the kind. Such is the case with a new malicious driver called "FiveSys".

Security researchers over at Bitdefender found that this new malware, which is a rootkit, actually is digitally signed by Microsoft itself. The FiveSys malicious driver carries the Windows Hardware Quality Labs (WHQL) certification that is provided by Microsoft after careful verification of the driver packages sent in by its various partner vendors through the Windows Hardware Compatibility Program (WHCP).

Below, Bitdefender has explained why the FiveSys rootkit exists and how it functions:

The purpose of the rootkit is straightforward: it aims to redirect the internet traffic in the infected machines through a custom proxy, which is drawn from a built-in list of 300 domains. The redirection works for both HTTP and HTTPS; the rootkit installs a custom root certificate for HTTPS redirection to work. In this way, the browser doesn't warn of the unknown identity of the proxy server.

It has been observed that FiveSys' spread is so far limited only to China possibly indicating that the threat actors are primarily interested in that part of the region. In terms of other key characteristics, the associated whitepaper also mentions that the rootkit blocks registry modifications and also tries to block its competitors' access to an infected system.

Besides redirecting internet traffic, the rootkit also blocks loading of drivers from other malware writing groups, as they are probably attempting to limit competitor threat actors’ access to the compromised system.

Bitdefender says that after alerting Microsoft of this malicious rootkit, the Redmond company has removed its signature from FiveSys. You can read about it in more detail on the official blog post here.

Interestingly, this isn't the first time such a thing has happened in recent memory. A similar malware called "Netfilter" was also validated by Microsoft back in June likely in a similar fashion.


Level 22
Sep 5, 2017
A newly identified rootkit has been found with a valid digital signature issued by Microsoft that's used to proxy traffic to internet addresses of interest to the attackers for over a year targeting online gamers in China.

Bucharest-headquartered cybersecurity technology company Bitdefender named the malware "FiveSys," calling out its possible credential theft and in-game-purchase hijacking motives. The Windows maker has since revoked the signature following responsible disclosure.

"Digital signatures are a way of establishing trust," Bitdefender researchers said in a white paper, adding "a valid digital signature helps the attacker navigate around the operating system's restrictions on loading third-party modules into the kernel. Once loaded, the rootkit allows its creators to gain virtually unlimited privileges."