Security News > 2021 > October > Researchers Discover Microsoft-Signed FiveSys Rootkit in the Wild
A newly identified rootkit has been found with a valid digital signature issued by Microsoft that's used to proxy traffic to internet addresses of interest to the attackers for over a year targeting online gamers in China.
"Digital signatures are a way of establishing trust," Bitdefender researchers said in a white paper, adding "a valid digital signature helps the attacker navigate around the operating system's restrictions on loading third-party modules into the kernel. Once loaded, the rootkit allows its creators to gain virtually unlimited privileges."
The rootkit operators also employ the practice of blocking the loading of drivers from competing groups using a signature blocklist of stolen certificates to prevent them from taking control of the machine.
"To make potential takedown attempts more difficult, the rootkit comes with a built-in list of 300 domains on the '.xyz' ," the researchers noted.
The development marks the second time wherein malicious drivers with valid digital signatures issued by Microsoft through the Windows Hardware Quality Labs signing process have slipped through the cracks.
In late June 2021, German cybersecurity company G Data disclosed details of another rootkit dubbed "Netfilter", which, like FiveSys, also aimed at gamers in China.