Follow us

Bitdefender Team Got New Digitally-Signed Rootkit; FiveSys

FiveSys is a new rootkit detected by Bitdefender investigators, able to avoid detection by misusing a signature issued by Microsoft

Published: October 26, 2021 By Ozair Malik

Bitdefender Team Got New Digitally-Signed Rootkit; FiveSys

Image source - freepik.com

The newly identified rootkit was obtained with a valid digital signature issued by Microsoft. It has been used by the Chinese.

Internet players for more than a year to create proxy traffic on Internet addresses that are of interest to attackers.

A security technology company headquartered in Bucharest has called malware FiveSys, pointing to possible theft and hijackings of games within the game.

The Windows maker subsequently revoked the signature after due disclosure.

Digital Signature

Digital signatures are a way to build trust, Bitdefender researchers said in a white paper. Digital active signatures exceed the application limits when the attacker uploads a third-party module to the kernel. Once downloaded, the rootkit allows you to: its creator enjoys unlimited rights.

Obtaining a WHQL release signature is part of the Windows Hardware Lab Kit (HLK). The WHQL release signature contains a digitally signed catalog file.

Microsoft is aware that Vxers has developed a way to digitally sign their rootkits through this process. After Bitdefender reported the acquisition, Microsoft revoked the signature of FiveSys.

Rootkit

Rootkits protect and steal, as it gives the attacker a stable location in the victim's system and hides malicious actions from the operating system (OS) and anti-malware solutions, and restores the OS.

It allows the attacker to continue persistently after that. Or replace the hard drive.

Malware Aims

Malware Aims – Under the aim of an attacker

Image source - freepik.com

The main purpose of malware is to redirect Internet site visitors through dual HTTP and HTTPS connections to destructive domains under the control of an attacker through a man-made hosting server.

Rootkit operators also hire an application to prevent the loading of drivers into competing teams using a signed list of stolen certificates to avoid having a machine handle.

Malware developers, however, appear to have identified a way to avoid Microsoft certification and obtain digital signatures for their rootkits, allowing them to identify victims without raising suspicions.

Hardware Quality Lab (HQL)

Starting with Windows Vista, Microsoft has introduced some changes that have made root distribution more difficult. Specifically, a large Redmond-based company has introduced stricter driving package requirements to obtain the digital signature of WHQL (Windows Hardware Quality Labs).

Microsoft Provided this after careful verification of driver packages submitted by its creators through the Windows Hardware Compatibility Program (WHCP).

However, it seems that malware authors have found a way to go through the verification process.

New Rootkit Detected

Bitdefender security investigators have identified a new Microsoft-signed rootkit, called FiveSys, which somehow went through the verification process and ended up in the wild.

Rootkits have been on fire for more than a decade as a malware program designed to provide attackers with a low level of access to infected operating systems.

Other changes made by Microsoft, starting with Windows Vista, have made the distribution of rootkits even more difficult. Security solutions also work much better, using new technology that was just a dream 10 years ago.

FiveSys Rootkit

FiveSys rootkit also uses a variety of security strategies, such as blocking the ability to register and stop the installation of other rootkits and malware from different groups.

Rootkit has been used by threatening actors to redirect Internet traffic to a custom hosting server.

FiveSys can avoid being detected and infiltrated by Windows users' programs thanks to a signature issued by Microsoft.

FiveSys Rootkit – Redirecting data to other servers

Image source - freepik.com

The main purpose of the rootkit is to redirect Internet traffic and move it to a custom hosting server. To achieve this, the driver serves locally the Proxy Auto-configuration script in the browser. The driver will periodically update this default configuration text.

A script has a list of domains / URLs that redirects traffic to a storage location under the control of the attacker.

Malware maintains a list of digital signatures used to detect Netfilter-compliant drivers and fk_undead malware families and prevents them from being loaded.

Identified Drivers

Bitdefender has identified several user-mode banners used to download and operate dangerous drivers on targeted machines. According to experts, FiveSys uses four drivers, but this time they only got two of them.

Driving packages that pass the Windows Hardware Lab Kit (HLK) test can be digitally signed by Microsoft WHQL (Windows Hardware Quality Labs).

If your driver package is digitally signed by WHQL, it may not be distributed through the Windows Update program or other distributions supported by Microsoft.

It also has an average of four drivers:

  • PacSys (PC.sys) is responsible for submitting the proxy autoconfiguration script (* .PAC file, hence the name perhaps).
  • Up.sys downloads the activation and starts it using the embedded .dll that it puts in kernel mode.
  • Both drivers can protect another module and install it again when it is removed.
  • Or, when it comes to technology, computer-assisted families are not one of that high-tech, the fact that misusing digital signatures in this way seriously undermines the reliability of this protection mechanism.

In June, the company announced it was investigating a hacker who was distributing brutal drivers to attacks aimed at the Chinese sports industry. The actor sent third-party drivers to receive a certificate through the Windows Hardware Compatibility Program (WHCP).

One of the drivers signed by Microsoft, called Netfilter, was a malicious Windows rootkit detected while connecting to C2 in China.

Conclusion

To make mitigation efforts potentially more difficult, a rootkit will come up with a built-in list of 300 domains in the '. xyz' [higher domain]. They seem to be randomly generated and stored with hidden species inside the banner.

When it comes to C2, the rootkit will select a random domain from the list, each domain with several DNS records.

Tags: 
News
Author
Ozair Malik
A passionate Cyber Security researcher and writer with a keen interest in Digital Forensics. A community worker running a insta blog to raise cybersecurity awareness among laymen.

Leave a comment

click to select