Attackers tricked Microsoft into signing malicious Netfilter drivers, with rootkit malware, targeting gamers in East Asian countries.
Cyberattacks continue to evolve as threat actors often find or create new hacking methods to break into targeted organizational networks. Recently, Microsoft stated that unknown attackers are spreading malicious drivers loaded with rootkit malware via Windows systems. The technology giant stated the malicious driver “Netfilter” is found communicating with command-and-control (C2) servers hosted in China. The driver is allegedly targeting gaming environments in East Asian countries, manipulating the geo-locations of the gamers to play from anywhere.
Microsoft stated the attacker submitted the malicious driver for certification via the Windows Hardware Compatibility Program (WHCP). The drivers are suspended and under investigation to find any additional signs of malware. The malware allows threat actors to exploit other gamers by compromising their accounts via common hacking tools like keyloggers.
Cybercriminals used advanced techniques in this campaign which are used post-exploitation. “It’s important to understand that the techniques used in this attack occur post-exploitation, meaning an attacker must either have already gained administrative privileges to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf,” Microsoft said.