Researchers Discover Microsoft-Signed FiveSys Rootkit in the Wild

A newly identified rootkit with a valid digital signature released by Microsoft has been found that has been used to proxy traffic to attackers' Internet addresses for more than a year, targeting online gamers in China.

Bucharest-headquartered cybersecurity technology company Bitdefender has named the malware "Fivesys", calling its potential credential theft and in-game-purchase hijacking purposes. The Windows manufacturer has revoked the signing following the responsible disclosure.

"Digital signatures are a new way to establish trust," Bitdefender researchers said in a white paper, "adding a valid digital signature allows an attacker to navigate around the operating system's restrictions on loading third-party modules into the kernel." is permitted." Helps." Once loaded, a rootkit allows its creators to have virtually unlimited privileges."

Rootkits are both stealth and anti-theft because they offer a strong foothold on the victim's system and hide their malicious functions from the operating system (OS) as well as anti-malware solutions, allowing adversaries to recompile it. Search is allowed. Helps maintain extended firmness even after installing. OS. Or replacement of the hard drive.

In the case of FiveSys, the main purpose of the malware is to redirect and route Internet traffic for both HTTP and HTTPS connections to malicious domains under the attacker's control through a custom proxy server. Rootkit operators have also employed the practice of preventing drivers from being loaded from competing groups by using a signed blocklist of piracy certificates to prevent them from taking control of the machine.

"To make potential removal efforts more difficult, the rootkit comes with a built-in list of 300 domains on '.xyz' [top-level domain]," the researchers said. "They are randomly generated and stored in encrypted form inside the binary."

This is the second time that malicious drivers with a valid digital signature issued by Microsoft have been slipped through the Windows Hardware Quality Labs (WHQL) signing process. In late June 2021, German cybersecurity company G Data revealed the details of another rootkit called "Netfilter" (and tracked by Microsoft as "RetLiften"), which, like FiveS, is designed for gamers in China. Intended for. Intend for. It was on purpose.

As per, you write the above information with reference to the hacker news community. The purpose of this article is to make the audience aware of cybercrime and using any technology with security.

Thank you