Earlier this month, Microsoft signed a driver called Netfilter that turned out to be a malicious network filter rootkit. Krasten Hahn, a G data malware analyst, first identified the rootkit which he later traced, analyzed, and identified as bearing Microsoft’s seal.
When Microsoft researchers analyzed the rootkit, it was found that it communicated with Chinese command-and-control IPs (C2) and as it turns out, these belong to one of the companies called Ningbo Zhuo Zhi Innovation Network Technology Co. Ltd. and was labeled as 'Community Chinese Military' by the United States Department of Defense.
Microsoft said that the threat actor’s goal is to cheat gaming systems. “To use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers,” according to Microsoft’s advisory.
The company collaborated with Microsoft to analyze and patch any known security holes, including for affected hardware. Users will get clean drivers through Windows Update.
Moreover, they added that the rootkit only works if a user authorizes the driver and it obtains administrator-level access on a PC to install the driver. The idea is that Netfilter won’t pose a threat to your PC unless you go out of your way to install it.
On Friday, Microsoft acknowledged the mistake, saying that the security experts are monitoring the whole incident and have added malware signatures to Windows Defenders. The company has also shared the signatures with security companies. As of Monday morning, 35 security vendors had flagged the file as malicious.
The company has suspended the account and is reviewing the malware signs. However, the actor’s activity is limited to the gaming sector specifically in China, and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time, the company revealed.
