Cybersecurity researchers have discovered yet another rootkit that has abused Microsoft’s Windows Hardware Quality Labs (WHQL) signing process.
Researchers at security vendor Bitdefender have uncovered the FiveSys rootkit, which is the second rootkit they’ve run into that has managed to make its way through Microsoft’s driver certification process.
“Most of the rootkit cases we documented in the past rely on stolen digital certificates from legitimate companies, so up until recently malware writers used stolen digital certificates to sign their drivers,” observed Bitdefender, noting the change in tactics.
According to their analysis, FiveSys seems to be designed to target online games in order to steal their credentials and hijack in-game purchases.
Abusing the process
Bitdefender believes that FiveSys, and the Netfilter rootkit, which was the first one to abuse Microsoft’s digital signing process, aren’t isolated incidents, and perhaps point towards a new trend of malware using WHQL signatures.
The basis for their argument are the lucrative new driver signing requirements from Microsoft, which demand drivers to be digitally signed by the company in order for them to be accepted by Windows.
“This new requirement ensures that all drivers are validated and signed by the operating system vendor rather than the original developer and, as such, digital signatures offer no indication as to the identity of the real developer,” says Bitdefender suggesting that submitting to the process helps the threat actors hide their identity.
While their motivations seem to be clear, how exactly they managed to work around the certification process to obtain legitimate certificates, continues to remain a mystery.
Soon after discovering the malware though, Bitdefender reached out to Microsoft to flag this abuse of digital trust, leading to the software giant revoking the signature.