Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Microsoft confirms signing Netfilter rootkit malware
2 min. read
Published onJune 28, 2021
published onJune 28, 2021
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
Key notes
Were you wondering what Microsoft has been up to these days, except preparing Windows 11 for the big release, later this year?
Well, this time the Redmond company really got careless, as they signed a malicious driver, that has been distributed within gaming environments.
These are not rumors anymore, as Microsoft already admitted to this monumental fiasco.
The Netfilter driver is Microsoft’s rootkit
The driver we are talking about, called Netfilter, is actually a rootkit that was monitored while communicating with Chinese command-and-control (C2) IPs.
Analysts from the security firm G Data first noticed this event last week and already started tracing and analyzing the malicious drivers that had Microsoft’s seal on them.
Needless to say that the incident in cause has once again exposed the threats to software supply-chain security, only this time it started from a weakness in Microsoft’s code-signing process.
☢️Network filter rootkit that connects to this IP in China:hxxp://110.42.4.180:2081/uIt does not look like Moriya (signature will be corrected asap)File is signed by Microsoft.#rootkit#netfilterhttps://t.co/lhvmmgHn6w
G Data researchers spent quite some time thoroughly analyzing the driver and have concluded it to be malware. As specified in theblog post, the discoveries they made shook them to their very core.
Worth knowing is that the C2 IP 110.42.4.180 that the malicious Netfilter driver connects to, belonged to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd.
Microsoft admitted to being guilty in this sensitive matter
According to the tech giant, the threat has been mainly targeting the gaming sector in China with these malicious drivers, but there are no signs of enterprise environments having been affected so far.
Microsoft has also refrained from attributing this incident to a specific nation just yet.
We have suspended the account and reviewed their submissions for additional signs of malware.
If you didn’t already know, falsely signed binaries can be continuously abused by sophisticated third parties in order to facilitate large scale software supply chain attacks.
The worst thing for Microsoft is that this incident has exposed weaknesses in a legitimate code-signing process, exploited by malicious third parties in order to acquire Microsoft-signed code without compromising any certificates.
We will keep an eye out for any developments in this story and keep you updated.
More about the topics:malware,microsoft
Vlad Turiceanu
Windows Editor
Passionate about technology,Windows, and everything that has a power button, he spent most of his time developing new skills and learning more about the tech world.
Coming from a solid background in PC building and software development, with a complete expertise in touch-based devices, he is constantly keeping an eye out for the latest and greatest!
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Vlad Turiceanu
Windows Editor
Coming from a solid background in PC building and software development, he’s a Windows 11 Privacy & Security expert.
