Microsoft confirms it has signed a rootkit driver

Microsoft acknowledges that it has signed a driver that contains a rootkit. The company is currently investigating this rootkit, which Microsoft says was only deployed in the Chinese gaming sector.

Microsoft confirms in a blog post that the actor behind the rootkit, which is called Netfilter, has sent the driver for validation, after which Microsoft has signed it. “The actor has submitted drivers for certification through the Windows Hardware Compatibility Program,” the tech giant said. “The drivers were created by a third party. We suspended the account and checked the submitted drivers for additional signs of malware.”

Microsoft claims that the actor behind this rootkit is only active in the ‘Chinese gaming sector’. There is no indication that Netfilter was used to compromise business environments, according to the tech giant. The company also states that it has not yet attributed the attack to a state hacker. Microsoft writes that users should not take any measures other than “following good security measures and deploying antivirus software.”

“The goal of the actor is to use the driver to spoof their geolocation and thus cheat the system and play anywhere,” Microsoft said. As a result, the malware could “gain an advantage in games” and “potentially exploit other players by stealing their accounts through tools such as keyloggers.”

The signed rootkit driver was spotted last Friday by G-Data, a German cybersecurity company that makes antivirus software, among other things. The malware communicates with Chinese servers. “The main functionality of the rootkit driver is to redirect traffic,” the company wrote. The rootkit can also update itself.

Since Windows Vista, code running in kernel mode must be signed by Microsoft before it is released. Drivers without a Microsoft certificate cannot be installed by default. G-Data was therefore recently notified of a possible false alarm because its antivirus software detected a Netfilter driver signed by Microsoft.

“But in this case, the detection was really positive, so we forwarded our findings to Microsoft, who quickly added the malware to Windows Defender and are conducting an internal investigation,” G-Data said.

The signed Netfilter driver. Source: G-Data