We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Hackers Target Gaming Sector By Deploying Microsoft Rootkit

Hackers Target Gaming Sector By Deploying Microsoft Rootkit
Zane Kennedy Published on 16th July 2023 Cybersecurity Researcher

Cybersecurity researchers have uncovered a sophisticated cyberattack campaign in China, where hackers utilize a Microsoft-signed rootkit to target the gaming sector.

The investigation by security firm Trend Micro revealed that the malicious actor responsible for this campaign is believed to be the same group behind the notorious FiveSys rootkit, previously discovered in October 2021.

Trend Micro researchers confirmed that the attackers, originating from China, have obtained valid signatures for their malware, possibly by passing through the stringent Windows Hardware Quality Labs (WHQL) process.

The rootkit campaign consists of multiple variants organized into eight distinct clusters. These variants are signed using Microsoft's WHQL program, exploiting the trust associated with legitimate digital certificates. By doing so, the attackers can circumvent detection mechanisms and gain a foothold on targeted systems. Each variant is tailored to the victim's machine, with some even featuring custom-compiled drivers.

The initial-stage driver, signed by Microsoft, functions as a loader, establishing communication with a command-and-control (C&C) server infrastructure. It utilizes the Windows Socket Kernel to facilitate network communication, leveraging a Domain Generating Algorithm (DGA) to generate different domains for resilience. Additionally, the rootkit employs obfuscation techniques to evade detection, indicating ongoing development and testing.

Once established, the attackers deploy second-stage plug-ins, which possess various capabilities for achieving persistence and executing specific actions from the kernel space. These plug-ins include a Defender terminator, intended to disable Microsoft Defender software, and a proxy plug-in that installs a remote proxy server and redirects web browsing traffic.

Notably, these Microsoft-signed rootkits have been primarily detected within the gaming sector in China, potentially infiltrating systems through trojanized Chinese games. Using legitimate digital certificates allows the malware to avoid raising suspicion, making it more difficult for security tools to detect and mitigate the threat.

133 malicious drivers, signed with valid digital certificates, have been discovered. Among them, 81 can disable antivirus software, while the remaining drivers function as covert rootkits, stealthily monitoring sensitive data transmitted over the internet.

The fact that the Windows Hardware Compatibility Program signs these drivers enables attackers to install them on compromised systems undetected, granting them unhindered access to malicious activities.

Microsoft has taken immediate action to address the issue, implementing blocking protections and suspending the accounts responsible for signing the malicious drivers. Microsoft recommends “that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks.”

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.