[MART] - Daily Diary #293 - Netfilter Malware Found With a Valid Microsoft Certificate

CTAS-MAT ctas-mat at appgate.com
Mon Jun 28 21:06:40 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

06/28/2021 - Diary entry #293:

This month a new Rootkit malware, named Netfilter, was found signed with a valid Microsoft Certificate. The malware targets gaming environments in East Asian countries. It's advertised as a VPN capable of changing the user's GeoLocation, to enable users to play games that are blocked for their region.

After being installed in the system, the malware connects to an IP address in China, and retrieves configurations and updates. The malware core capabilities seem to focus on information stealing, implementing keyloggers and other tools that steal credentials and information from the machine.

Since Windows Vista, any code that runs in kernel mode requires a valid Microsoft Certificate by default. Developers need to submit their drivers through the Windows Hardware Compatibility Program (WHCP) to be tested and reviewed before getting a valid certification. Microsoft confirmed this week that Netfilter driver was signed through WHCP, although it's not clear on how the driver was approved yet. Microsoft reported that they added the drivers signatures to Windows Defender, and are now conducting an internal investigation. Meanwhile, they claim to be enhancing WHCP and their partners' access policies, to avoid similar incidents.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210628/b53c4c33/attachment.html>

More information about the MART mailing list