A Microsoft Windows policy loophole has been observed to be exploited, primarily by native Chinese-speaking attackers, to forge kernel-mode driver signatures.

“Attackers are leveraging multiple open-source tools to change the signing date of kernel-mode drivers to load malicious, unverified drivers signed with expired certificates,” Cisco Talos wrote. said in Exhaustive two-part report I shared it with Hacker News. “This is a big threat because access to the kernel provides complete access to the system and is therefore a complete compromise.”

Following Responsible Disclosure, Microsoft Said We have taken steps to block all certificates to mitigate threats. Further, it said its investigation found that “the activity was limited to the abuse of multiple developer program accounts and that no Microsoft accounts were compromised.”

In addition to suspending the account of the developer program involved in the incident, the tech giant emphasized that the threat actor had already obtained administrative privileges on the compromised system before using the driver.

It’s worth pointing out that Windows makers rolled out similar blocking protections in December 2022 to prevent ransomware attackers from using Microsoft-signed drivers for their post-exploitation activities.

Driver signature enforcementrequires kernel-mode drivers to be digitally signed with a certificate from Microsoft’s Dev Portal, an important line of defense against malicious drivers. Malicious drivers can be weaponized to evade security solutions, tamper with system processes, and maintain persistence.

A new vulnerability discovered by Cisco Talos may allow the signature of a kernel mode driver to be forged, thereby bypassing Windows certificate policy.

this is, exception Carved out by Microsoft for compatibility, if the cross-signed driver “chains to a supported cross-signed certificate with an end-entity certificate issued before July 29, 2015 is allowed if signed. [certificate authority]. ”

“The third exception is if the newly compiled driver was issued or revoked before July 29, 2015, as long as the certificate is chained to a supported cross-signed certificate authority. It creates a loophole that allows you to sign with a certificate that doesn’t exist,” said the cybersecurity firm. Said.

As a result, drivers signed in this way are no longer prevented from loading on Windows devices, allowing attackers to leverage escape clauses to expose thousands of maliciously signed files without submitting them to Microsoft for verification. It will be possible to deploy the driver.

These rogue drivers are introduced using signature timestamp forgery software such as: hook sign tool and fuck certificate verification time validitywhich have been open to the public since 2019 and 2018, respectively.

HookSignTool has been accessible via GitHub since January 7, 2020, and FuckCertVerifyTimeValidity was first committed to the code hosting service on December 14, 2018.

“HookSignTool is a driver signature forger tool that combines a hook into the Windows API and manual modification of the import table of legitimate code signing tools to change the driver’s signing date during the signing process,” explained Cisco Talos.

in particular, CertVerifyTimeValidity functionverifies the time-validity of the certificate and modifies the timestamp of the signature on the fly.

“This small project prevents verification by signing tools. [sic] It improves certificate time validity, allowing bins to be signed with older certificates without manually changing the system time,” says the GitHub page for FuckCertVerifyTimeValidity.

“Install a hook on crypt32!CertVerifyTimeValidity to always return 0, and to sign certificates from 2011, you can add “-fuckyear 2011” to the signtool command line, so you don’t need kernel32!GetLocalTime to return things. ”

However, a successful forgery requires an unrevoked code-signing certificate issued before July 29, 2015. Certificate private key and passphrase.

Cisco Talos has announced that it has discovered over a dozen code signing certificates with keys and passwords in PFX files hosted on GitHub within a forked repository of FuckCertVerifyTimeValidity. It is not immediately clear how these certificates were obtained.

Additionally, HookSignTool is used to re-sign cracked drivers to bypass Digital Rights Management (DRM) integrity checks, and an attacker named “Juno_Jr” is a legitimate software caching solution. It has been observed that they have released a cracked version of PrimoCache. , at the Chinese Software Cracking Forum on November 9, 2022.

“In the crack version […]A Talos researcher said, “The patched driver was re-signed with a certificate originally issued to ‘Shenzhen Luyoudashi Technology Co., Ltd.’ and this certificate was included in the PFX file on GitHub. I’m here. ” he said, the Talos researcher. Attempting to bypass her DRM checks for signed drivers is a serious roadblock. ”

That’s not all. HookSignTool is also used by a previously undocumented driver identified as RedDriver to forge signature timestamps. Active since at least 2021, the Windows Filtering Platform (United Nations WFP) intercepts browser traffic and reroutes it to localhost (127.0.0.1).

The target browser is randomly selected from a hard-coded list containing process names of many popular Chinese browsers such as Liebao, QQ Browser, Sogou, UC Browser and Google Chrome, Microsoft Edge, Mozilla Firefox.

Chris Neal, an outreach researcher at Cisco Talos, told The Hacker News: “This was his one of the first samples I came across that immediately struck me as suspicious. What caught my attention was the list of web browsers stored within the RedDriver file. “

The ultimate purpose of this browser traffic redirection is not clear, but it goes without saying that such functionality can be abused to modify browser traffic at the packet level.

RedDriver’s infection chain begins by executing a binary named ‘DnfClientShell32.exe’, which then initiates encrypted communication with a command and control (C2) server to download a malicious driver.

“Although we did not observe the delivery of the initial file, it is very likely that it was packaged to look like a game file and hosted on a malicious download link.” said Neil. “The victim probably thought he was downloading a file from a legitimate source and ran the executable. ‘DNFClient’ is a very popular game in China, commonly known as ‘DNF’.” This is the name of the file that belongs to “Dungeon Fighter Online”.

“The learning curve for malicious driver development is steep, so RedDriver may have been developed by a highly skilled attacker,” Cisco Talos said. “While the threat appears to target native Chinese speakers, the authors are likely Chinese speakers as well.”

“The authors also demonstrated familiarity or experience with the software development lifecycle, another skill set that requires previous development experience.”