Jump to content

New WHQL RootKits


Recommended Posts

Hello all,


I recently discovered the new WHQL Rootkits. Yesterday, I sent the sample hash and download url to eset's email. Eset and many other anti-virus software providers still cannot detect them now. VirusTotal detected almost 0, which sounds crazy.


































































Best regards.

Link to comment
Share on other sites

Cloudstrike Falcon now detects them per VT lookup. Cylance detects at least one of them.

Of note is these drivers are not signed with a WHQL issued certificate but rather, they are signed with an attestation issued certificate.

I wrote a forum posting about this issue a while back: https://forum.eset.com/topic/32841-a-clear-and-present-danger-lurking-in-windows-1011/#comment-153631 . It appears to have "fell on deaf Eset ears." Most likely because Eset is attestation signing its .dlls.

Edited by itman
Link to comment
Share on other sites

Also for clarification, these kernel mode drivers are not UEFI based rootkits. A detailed analysis by Kaspersky of a UEFI based rootkit discovered a few months back is here: https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/ .

Of note is the following:


The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset. This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware’s image.

In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain which results in the download and deployment of a malicious component inside Windows.

Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware. This could be achieved through a precursor malware implant already deployed on the computer or physical access (i.e., an evil maid attack scenario). Qihoo’s initial report indicates that a buyer might have received a backdoored motherboard after placing an order at a second-hand reseller. We were unable to confirm this information.


Edited by itman
Link to comment
Share on other sites

Correcting myself, there are Win based kernel mode rootkits. These are for the most part deployed using a malicious device driver. One would believe kernel mode device drivers would have to be WHQL issued cert. signed. However, reviewing Microsoft's driver signing requirements here: https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-reqs , it appears that in Win 10/11, device drivers can also be attestation signed. Oh, my .........

If these posted drivers are device drivers, they have the capability to deploy a kernel mode rootkit if they are indeed malicious. Also there is no way these drivers can be detected at system startup time if designated as boot drivers since they load prior to AV's ELAM driver loading.

If these drivers are judged malicious, they need to be reported to Microsoft so that they can be added to Win 10/11 internal driver block list that finally works right: https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-vulnerable-driver-blocklist-sync-issue/ . Note that this Win 10/11 driver block list feature only works if HV Core Isolation - Memory Integrity setting is enabled in Win Security Center Device security section.

Edited by itman
Link to comment
Share on other sites

Very interesting.

Looks like the OP was correct in his assessment that these drivers were rootkits. Eset, Dr. Web, and Fortinet now detect and classify them as rootkits: https://www.virustotal.com/gui/file/f3b017cf469aa4e76b1e9b67c6462a0b5d9ebbfc550c1bf3f65e9ccdf88f2447 .

Kudos to CloudStrike for detecting them at first sight.

Edited by itman
Link to comment
Share on other sites

I also wonder is this incident is related to this: https://thehackernews.com/2022/11/researchers-say-china-state-backed.html .

The main requirement for issuance of a Microsoft attestation code signing cert. is the submitter must provide the code signed with a CA issued EV code signing cert..

Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...