FiveSys is a new rootkit discovered by researchers from Bitdefender, it is able to evade detection by abusing a Microsoft-issued digital signature.
Driver packages that pass Windows Hardware Lab Kit (HLK) testing can be digitally-signed by Microsoft WHQL (Windows Hardware Quality Labs). If your driver package is digitally-signed by WHQL, it can be distributed through the Windows Update program or other Microsoft-supported distribution mechanisms.
Microsoft is aware that Vxers have devised a method to digitally sign their rootkits through this process. After Bitdefender has reported the discovery, Microsoft has revoked the signature for FiveSys.
In June, the company announced it is investigating a threat actor distributing malicious drivers in attacks aimed at the gaming industry in China. The actor submitted drivers that were built by a third party for certification through the Windows Hardware Compatibility Program (WHCP). One of the drivers signed by Microsoft, called Netfilter, was a malicious Windows rootkit that was spotted while connecting to a C2 in China.
The IT giant pointed out that its WHCP signing certificate was not exposed and that its infrastructure was not compromised by hackers.
The rootkit was used by threat actors to redirect internet traffic to a custom proxy server.
“The main purpose of the rootkit is to redirect internet traffic and route it to a custom proxy server. To achieve this, the
driver serves locally a Proxy Autoconfguration Script to the browser. The driver will periodically update this autoconfguration script. The script has a list of domains/URLs for which it
redirects traffc to an endpoint under the attacker’s control.” reads the report published by Bitdefender.
The rootkit is able to redirect both http and https traffic, in the latter case, it installs a custom root certificate to about browser’s warnings of the unknown identity of the proxy server.
The malware maintains a list of digital signatures used to detect drivers associated with Netfilter and fk_undead malware families and prevent that they are loaded.
Bitdefender identified several user mode binaries that are used to fetch and execute the malicious drivers onto the target machines. According to the experts, FiveSys uses four drivers, but at this time they have only detected only two of them.
“It also has an estimated four drivers, but in our research, we only managed to isolate two:
To minimize the chance of a C2 takedown, the rootkit uses a built-in list of 300 domains on the “.xyz” TLD that are randomly generated and that stored in an encrypted form inside the binary.
Upon contacting the C2, the rootkit will select a random domain from the list, each such domain having several DNS A records.
The paper published by Bitdefender also includes indicators of compromise (IoCs.)
(SecurityAffairs – hacking, cyber security)