Skip to main content

Cybercriminals have found a way to get their malware certified by Microsoft

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

Cybersecurity researchers have discovered yet another rootkit that has abused Microsoft's Windows Hardware Quality Labs (WHQL) signing process.

Researchers at security vendor Bitdefender have uncovered the FiveSys rootkit, which is the second rootkit they’ve run into that has managed to make its way through Microsoft’s driver certification process.

“Most of the rootkit cases we documented in the past rely on stolen digital certificates from legitimate companies, so up until recently malware writers used stolen digital certificates to sign their drivers,” observed Bitdefender, noting the change in tactics.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

According to their analysis, FiveSys seems to be designed to target online games in order to steal their credentials and hijack in-game purchases. 

Abusing the process

Bitdefender believes that FiveSys, and the Netfilter rootkit, which was the first one to abuse Microsoft’s digital signing process, aren’t isolated incidents, and perhaps point towards a new trend of malware using WHQL signatures. 

The basis for their argument are the lucrative new driver signing requirements from Microsoft, which demand drivers to be digitally signed by the company in order for them to be accepted by Windows

“This new requirement ensures that all drivers are validated and signed by the operating system vendor rather than the original developer and, as such, digital signatures offer no indication as to the identity of the real developer,” says Bitdefender suggesting that submitting to the process helps the threat actors hide their identity.

While their motivations seem to be clear, how exactly they managed to work around the certification process to obtain legitimate certificates, continues to remain a mystery.

Soon after discovering the malware though, Bitdefender reached out to Microsoft to flag this abuse of digital trust, leading to the software giant revoking the signature.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.