Security News > 2021 > June > Microsoft approved a Windows driver booby-trapped with rootkit malware

Microsoft on Friday admitted it had signed malicious third-party driver code submitted for certification through its Windows Hardware Compatibility Program.
According to Microsoft, the miscreant behind the subverted driver was focused on computer game players in China, and is not the sort of nation-state-backed group that has been giving Microsoft and its enterprise customers headaches over the past few months.
To install the rootkit on a victim's computer, an attacker would already need admin-level access on the box, or would need to convince the user to authorize the driver's installation - which is easier to do when the code is signed by Microsoft.
The Windows maker, which also on Friday disclosed that the Nobelium group behind the SolarWinds attack compromised a Microsoft support desk account in a separate phishing operation, said it is investigating the unidentified threat actor's efforts to distribute subverted drivers in gaming environments.
Security researcher Karsten Hahn identified the driver as Netfilter, a rootkit that connects to an IP address registered to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, in China.
The software giant has updated its Microsoft Defender data to detect and block the devious driver and has shared signature information with other antivirus security vendors so they can tune their detection mechanisms.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/06/28/microsoft_malware_signing/
Related news
- New Microsoft script updates Windows media with bootkit malware fixes (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft says attackers use exposed ASP.NET keys to deploy malware (source)
- Microsoft has finally fixed Date & Time bug in Windows 11 (source)
- Microsoft shares workaround for Windows security update issues (source)
- Windows 10 KB5051974 update force installs new Microsoft Outlook app (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft spots XCSSET macOS malware variant used for crypto theft (source)
- Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics (source)
- Microsoft to remove the Location History feature in Windows (source)