Microsoft signed off on a driver that contains rootkit malware. Despite having processes and checkpoints—like code signing and the Windows Hardware Compatibility Program (WHCP)—in place to prevent such events from happening, the driver still managed to pass through.
The third-party Windows driver, Netfilter, was observed communicating with Chinese command-and-control IPs. Netfilter was distributed within the gaming community. It was first detected by G Data malware analyst Karsten Hahn (and soon further vetted by the infosec community at large and Bleeping Computer), who immediately shared notice of the breach on Twitter and notified Microsoft.
☢️Network filter rootkit that connects to this IP in China:
It does not look like Moriya (signature will be corrected asap)
— Karsten Hahn (@struppigel) June 17, 2021
Though Microsoft has confirmed that it did, indeed, sign off on the driver, there is no clear information yet regarding how the driver made it through the company’s certificate signing process. Microsoft is currently investigating and said it “will be sharing an update on how we are refining our partner access policies, validation and the signing process to further enhance our protections.”
Currently, there is no evidence that the malware writers stole certificates, or that the activity can be attributed to a nation-state actor. Microsoft also noted that the malware has had a limited impact, taking aim at gamers and not enterprise users. “We have suspended the account and reviewed their submissions for additional signs of malware,” Microsoft shared in a blog update.
Despite the malware seeming to have little to no impact, and Microsoft eagerly working to resolve the issue and refine its code signing process, the incident has nonetheless disrupted user trust in Microsoft. The average user depends on these certificates and checkpoints to have a way to know that updates and new drivers are safe to install. This disruption could make users wary of future downloads for some time to come.