News

Microsoft revokes certificates that signed more than 100 malicious kernel drivers

Security Parrot Editorial Team

Microsoft Blocks Code-Signing Certificates Used by Chinese Hackers

Microsoft has blocked code-signing certificates, which were primarily used by Chinese hackers and developers to sign and upload malicious Kernel-Mode Drivers to compromised systems. Over 100 malicious drivers have received valid signatures through the Windows Hardware Compatibility Program (WHCP).
“Attackers are using several open source tools that change the signing date of kernel-mode drivers to load malicious and unverified drivers signed with expired certificates,” the experts said. “This is a serious threat, since access to the kernel provides full access to the system and, therefore, complete compromise.”

What is a Kernel-Mode Driver?

Kernel-mode drivers run with the highest privilege level in Windows (Ring 0), and give attackers full access to the target machine, facilitating covert pinning in the system, undetectable data theft, and also giving hackers the ability to terminate almost any process.
Even if security solutions are running on a compromised device, a kernel-mode driver can interfere with their operation, disable advanced protection, or purposefully change the configuration to avoid detection.

Microsoft’s WHCP Program

Since the release of Windows Vista, Microsoft has made changes to the rules that restrict the loading of kernel-mode drivers into the operating system, requiring developers to submit their drivers for review and sign them through the developer portal. However, to prevent problems with older applications, Microsoft introduced the following exceptions that still allowed older kernel-mode drivers to be loaded:
– PC upgraded from an earlier version of Windows to Windows 10 version 1607;
– Secure Boot disabled in BIOS;
– Drivers are signed with an end-entity certificate issued prior to July 29, 2015 that is associated with a supported cross-signed CA.
Microsoft thanked Sophos, Cisco Talos and Tre experts this week and Micro for discovering many malicious kernel drivers and the method the attackers used to sign them. The companies say the drivers were created by Chinese cybercriminals and were used to run browser malware, rootkits and game cheats.

Tools Used by Attackers

In their report, Cisco Talos analysts say that most of the malicious drivers were created using the FuckCertVerify and HookSignTool tools. These tools have been around since 2018 and 2019 and allow attackers to sign their malicious payloads by changing the signature dates of malicious drivers to dates prior to July 29, 2015.
FuckCertVerify originally appeared on GitHub in December 2018 as a tool for cheating in games.
Researchers believe that around April 2021, some Chinese attackers realized that they could use these simple tools to abuse the aforementioned exceptions in the Microsoft WHCP program and sign drivers. By changing the signing date, attackers could use old, leaked, and non-revoked certificates to sign drivers and then load them into Windows to elevate privileges.
For example, in a separate report by Cisco Talos, a malicious RedDriver signed with the HookSignTool was analyzed in detail.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?