In July, security researchers revealed a sobering discovery: hundreds of pieces of malware used by multiple hacker groups to infect Windows devices had been digitally signed and validated as safe by Microsoft itself. On Tuesday, a different set of researchers made a similarly solemn announcement: Microsoft’s digital keys had been hijacked to sign yet more malware for use by a previously unknown threat actor in a supply-chain attack that infected roughly 100 carefully selected victims.
The malware, researchers from Symantec’s Threat Hunter Team reported, was digitally signed with a certificate for use in what is alternatively known as the Microsoft Windows Hardware Developer Program and the Microsoft Windows Hardware Compatibility Program. The program is used to certify that device drivers—the software that runs deep inside the Windows kernel—come from a known source and that they can be trusted to securely access the deepest and most sensitive recesses of the operating system. Without the certification, drivers are ineligible to run on Windows.
Hijacking keys to the kingdom
Somehow, members of this hacking team—which Symantec is calling Carderbee—managed to get Microsoft to digitally sign a type of malware known as a rootkit. Once installed, rootkits become what’s essentially an extension of the OS itself. To gain that level of access without tipping off end-point security systems and other defenses, the Carderbee hackers first needed its rootkit to receive the Microsoft seal of approval, which it got after Microsoft signed it.
With the rootkit signed, Carderbee went on to pull another audacious feat. Through means that aren’t yet clear, the group attacked the infrastructure of Esafenet, a China-based developer of software, known as the Cobra DocGuard Client, for encrypting and decrypting software so it can’t be tampered with. Then, Carderbee used its newfound control to push malicious updates to roughly 2,000 organizations that are Cobra DocGuard customers. Hacking group members then pushed the Microsoft-signed rootkit to roughly 100 of those organizations. Representatives with Esafenet and its parent company, NSFOCUS, didn’t respond to an email asking for verification.
“It seems clear that the attackers behind this activity are patient and skilled actors,” Symantec researchers wrote. “They leverage both a supply chain attack and signed malware to carry out their activity in an attempt to stay under the radar. The fact that they appear to only deploy their payload on a handful of the computers they gain access to also points to a certain amount of planning and reconnaissance on behalf of the attackers behind this activity.”
Microsoft put the mandatory program in place with the launch of Windows 10. Attackers had long used drivers in post-exploit activities, meaning after hacking a system and gaining administrative access. While attackers could already install apps, steal passwords, and take other liberties, running code in the kernel allowed them to do things that would otherwise be impossible. For example, they could suppress warnings from endpoint detection and response systems and other defenses. Effective from then on, drivers that needed kernel access had to be digitally signed.