Microsoft signed a driver loaded with rootkit malware

Updated on 02-Jul-2021

Microsoft has admitted to signing a malicious driver that is being distributed within gaming environments.

Microsoft usually tests the drivers before assigning them a digital certificate which approves them to be installed by default. A driver named Netfilter that redirects traffic to an IP in China and installs a root certificate to the registry has managed to make it through that testing process without being detected as malware, specifically a rootkit.

A malware analyst at G Data, Karsten Hahn, has found the malicious driver and notified Microsoft who stated that they have promptly added malware signatures to Windows Defender and also added they are conducting an internal investigation. Microsoft has also suspended the account that submitted the driver and they are currently going over their previous submissions.

Microsoft's security response center team characterized the malware's activity as limited to the gaming sector specifically in China and then explained its goal. According to them the threat actor's purpose is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware gives them an advantage in games and possibly exploits other players by compromising their accounts through common tools like keyloggers.

Microsoft stated that users will get clean drivers through Windows Update. Windows users are advised to follow security best practices and deploy Antivirus software such as Windows Defender. 

Connect On :