Security News > 2021 > June > Microsoft Signs Malware That Spreads Through Gaming
Microsoft signed a driver being distributed within gaming environments that turned out to be a malicious network filter rootkit.
G DATA malware analyst Karsten Hahn first noticed the rootkit, publicly posting the find on June 17 and simultaneously reaching out to Microsoft.
According to WHOIS records, the command-and-control address - IP 110.42.4.180 - that the malicious Netfilter driver connected to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co. Ltd. On Friday, Microsoft confirmed the incident, saying that it had launched an internal investigation, has added malware signatures to Windows Defender, and has shared the signatures with security companies.
As of Friday, Microsoft was still trying to figure out how a rootkit could slip through the signing process.
Microsoft said in its advisory that it's now investigating a malicious actor that's "Distributing malicious drivers within gaming environments." The threat actor submitted drivers for certification through the Windows Hardware Compatibility Program, which is designed to ensure that Windows-compatible software and hardware run smoothly on Windows 10, Windows 11 and Windows Server 2022 and to provide guidance for developing, testing and distributing drivers.
Microsoft has suspended the malicious-driver-disseminating account and has reviewed the threat actor's submissions for additional signs of malware.
News URL
https://threatpost.com/microsoft-malicious-rootkit-gaming/167323/
Related news
- New Microsoft script updates Windows media with bootkit malware fixes (source)
- Microsoft says attackers use exposed ASP.NET keys to deploy malware (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft spots XCSSET macOS malware variant used for crypto theft (source)
- Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics (source)