Security News > 2021 > June > Microsoft approved a Windows driver booby-trapped with rootkit malware

Microsoft on Friday admitted it had signed malicious third-party driver code submitted for certification through its Windows Hardware Compatibility Program.

According to Microsoft, the miscreant behind the subverted driver was focused on computer game players in China, and is not the sort of nation-state-backed group that has been giving Microsoft and its enterprise customers headaches over the past few months.

To install the rootkit on a victim's computer, an attacker would already need admin-level access on the box, or would need to convince the user to authorize the driver's installation - which is easier to do when the code is signed by Microsoft.

The Windows maker, which also on Friday disclosed that the Nobelium group behind the SolarWinds attack compromised a Microsoft support desk account in a separate phishing operation, said it is investigating the unidentified threat actor's efforts to distribute subverted drivers in gaming environments.

Security researcher Karsten Hahn identified the driver as Netfilter, a rootkit that connects to an IP address registered to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, in China.

The software giant has updated its Microsoft Defender data to detect and block the devious driver and has shared signature information with other antivirus security vendors so they can tune their detection mechanisms.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/06/28/microsoft_malware_signing/