On Friday, June 25th, Microsoft admitted to signing a series of drivers named Netfilter, which had been submitted for validation by a vendor in the video game industry. Microsoft confirmed the malicious drivers and said, “the actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments.” Microsoft said the goal of the threat actor was to get an advantage on games and exploit other players by compromising their accounts. The vendor account that submitted the driver has been suspended and searched for other signs of malware.
Threat actors can buy access to hacked vendor accounts and stolen certificates via the dark web, then they use those certificates to sign their malware. Microsoft stated, “it’s important to understand that the techniques used in this attack occur post exploitation, meaning an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf.” Threat actors gain access to a system via a malware strain, then install a signed driver to gain admin access on the host. Although it is rare to find malware signed by Microsoft, a much more common scenario observed by Binary Defense Threat Researchers is malware signed with a digital certificate issued to a little-known company. These software signing certificates are usually issued just days or hours before the malware is distributed, so hunting for recently signed programs can sometimes yield useful results for enterprise defenders.