The Netfilter Driver: a Threat to the Gaming Community
Evidently, the threat actor submitted a specific driver called Netfilter, built by a third party, for certifications via the Windows Hardware Compatibility Programs. The said account is now removed, and all its submissions have been reviewed for signs of malware, Microsoft said.
“The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments,” the company specified. It seems that the goal of the entire operation is to use the driver to spoof geo-locations and cheat the system to play it from anywhere. The malware gives threat actors the advantage to perform better in games, and “possibly exploit other players by compromising their accounts through common tools like keyloggers.”
It is noteworthy that the malicious driver was first spotted by security researcher Karsten Hahn and his firm G Data.
“Last week our alert system notified us of a possible false positive because we detected a driver named “Netfilter” that was signed by Microsoft. Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system. Drivers without a Microsoft certificate cannot be installed by default,” Hahn wrote in his article detailing the findings.
Since the detection turned out to be a false positive, the researcher forwarded the findings to Microsoft. The company responded by quickly adding malware signatures to Windows Defender. Currently, the rootkit has a significant detection rate on VirusTotal, with 35 out of 68 security engines detecting it. Some detections include Trojan.Agent.NtRootKit, Trojan.Agent, Trojan.NtRootKit, etc. It is yet unknown how the driver passed Microsoft’s signing process successfully.
One of the interesting things about Netfilter is that some of its strings were encoded. As pointed out by Hanh, it is odd that a driver obfuscates part of their strings. During his analysis, the researcher also found similar samples on VirusTotal, with the oldest one dating back to March 2021.
As for the core functionality of the malware, it appears to be IP redirection. It is also noteworthy that the rootkit received a root certificate via a specific path (hxxp://220.127.116.11:2081/c), writing it to \Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\.
Finally, the techniques used in the attack take place in a post-exploitation phase. This means that the threat actor must have administrative rights on the system to be able to run the installer, update the registry, and install the malicious Netfilter driver. This way, it ensures to load the next time the system boots.