Security researchers at Bitdefender have discovered a new Microsoft-signed rootkit, named FiveSys, which has been targeting online games in China for over a year. The main purpose of the malware is credential theft and in-game-purchase hijacking.
Starting with Windows Vista, Microsoft has introduced some changes that made the propagation of rootkits much more difficult. Specifically, the Redmond-based tech giant introduced strict requirements for driver packages in order to receive a WHQL (Windows Hardware Quality Labs) digital signature that is provided by Microsoft after careful verification of the driver packages submitted by its creators through the Windows Hardware Compatibility Program (WHCP).
However, it appears that malware authors have found a way to bypass the validation process.
Bitdefender says that FiveSys is similar in nature to the Undead malware, discovered several years ago.
“The purpose of the rootkit is straightforward: it aims to redirect the internet traffic in the infected machines through a custom proxy, which is drawn from a built-in list of 300 domains. The redirection works for both HTTP and HTTPS; the rootkit installs a custom root certificate for HTTPS redirection to work. In this way, the browser doesn't warn of the unknown identity of the proxy server,” the researchers said.
The FiveSys rootkit also uses various self-preservation techniques, such as blocking the ability to edit the registry and stopping the installation of other rootkits and malware from different groups.
The malware's spread is so far limited only to China, suggesting that the threat actors are primarily interested in that part of the market.
The researchers have informed Microsoft of their findings, and the company revoked the signature shortly after.
In June, researchers found another Microsoft-signed malicious driver named ‘Netfilter,’ which also targeted gamers in China.