New WHQL RootKits

[wwwab 0]

Hello all,

 

I recently discovered the new WHQL Rootkits. Yesterday, I sent the sample hash and download url to eset's email. Eset and many other anti-virus software providers still cannot detect them now. VirusTotal detected almost 0, which sounds crazy.

 

Hash:

 

f3b017cf469aa4e76b1e9b67c6462a0b5d9ebbfc550c1bf3f65e9ccdf88f2447

 

d6f7fd346cafc4e7e2227a5ef8dd9ddbbdd83dbc5d139734b03e2c404509cd06

 

6bf7fb60c2c93dc17ba5dbf24f63d1ede4615fc53e3f6643bd676f2e9c9d4c2b

 

2088764efe780fcde3a7623b330e8319280c26e481bed8fc3e8726bfddc1ea53

 

a82794500932cd286b88fec79a8b0e6d9121b135e531da8552333ebb87da834f

 

547eb802e7bbf40ce6b5e219baad84152677653e92eaefeee7ce4226cf312058

 

342d7d819f869870a677a3670bbe520fb89389b63c5dd6c68b80fb63117463d3

 

a1be29cd2a06867c14dca5a621eb73a5428d6a31bbd4182d350e46775ad80cdf

 

ee75bbe10675a7b8e90072cfac182d65963d927778f0d4c477f6ccc5c9570ac3

 

b1fde38dcf163f7724ec240d7441b5b75386e9199ecd80dd878bfd9bff6b823b

 

b7a9bed4c0f1aed75ffc5d2ba14463a8e9b6144c9f07ab4d7c60b127ee145211

 

8501d07f3834192ed16badc423120445cd15581779020646e1671b5ac81e2fbf

 

b28abf0b11ed44661b77594430919e8e269169568931d1e530342ac149fb33e6

 

0522751131368fa007f8ed52209a5b9b4583b82c3fa9af20ad82d575f2c6e711

 

f9d9d22b9c19f45b8ba74b556a959990586fd2c10f962af34e49d12b94d5d35b

 

a2d1bfc6686f97d82ff7a7c2e027dd7fdb75a86531c28ed827652722c43e4ee8

 

d38a206431cdf0ccf3520240a91831e8222f9cf8ecb7104361079eca96c155a4

 

e398b3818cb784c6efb6b2e80a265429b417ac693f35a3ba155baabab7445511

 

6c6dbcd53a7e6a4e0dd1458cb417ef472afbb178d457481eda8f85561b9debd4

 

51f9f9338eb97e9a06d8e78fc7ba61c0e62484bd179b321c4f31c3e69d8ddf84

 

a0cf4ca6570a7442cce8ea98b62df060ecafc7d8498667d07674b29aaf9b225a

 

be85725cacdcd1377bd79459c003b3a1b9e2e35ba30544560c19f6634259791a

 

e20a485993086dec457dff824e8ca7053f6b3cbc75117d63e87c79d537c05c5b

 

0aa222fe91919a0c9f477d4c68af4de9cffdaf1cc63d96ee7e137a3aaef69530

 

55b20056f002a1746d73e8b874f1d20c4d179bf5455b9268dc286f2da6b83db2

 

80951e2f257d8c6b1f94e1c298144a1b4d928399b028fec3eddad2354fbe9773

 

e1e2b29c575fce4fc8f8a43cc3b13ee31b70acf3336db07b99cfa5bfbf6643cf

 

b051703a9c6851960849d4fea3311892d4fc3681d6fd2e23d7861f006f2fbfa2

 

9914a6f768631be401f2af9dd4d36056ecca55d62751aece05ccc2dc0993862e

 

081e37847d8916cf28b2f8ec172208898bb3b8f44dd5ad97470ca915dadf2f72

 

9d05061c3b7a62ae365639e0532b4ac6226e3bdd6e9caf0a1166ef80829356bb

 

Best regards.

[itman 1,659]

Cloudstrike Falcon now detects them per VT lookup. Cylance detects at least one of them.

Of note is these drivers are not signed with a WHQL issued certificate but rather, they are signed with an attestation issued certificate.

I wrote a forum posting about this issue a while back: https://forum.eset.com/topic/32841-a-clear-and-present-danger-lurking-in-windows-1011/#comment-153631 . It appears to have "fell on deaf Eset ears." Most likely because Eset is attestation signing its .dlls.

Edited November 13, 2022 by itman

[itman 1,659]

Also for clarification, these kernel mode drivers are not UEFI based rootkits. A detailed analysis by Kaspersky of a UEFI based rootkit discovered a few months back is here: https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/ .

Of note is the following:

Quote

The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset. This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware’s image.

In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain which results in the download and deployment of a malicious component inside Windows.

Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware. This could be achieved through a precursor malware implant already deployed on the computer or physical access (i.e., an evil maid attack scenario). Qihoo’s initial report indicates that a buyer might have received a backdoored motherboard after placing an order at a second-hand reseller. We were unable to confirm this information.

 

Edited November 13, 2022 by itman

[itman 1,659]

Correcting myself, there are Win based kernel mode rootkits. These are for the most part deployed using a malicious device driver. One would believe kernel mode device drivers would have to be WHQL issued cert. signed. However, reviewing Microsoft's driver signing requirements here: https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-reqs , it appears that in Win 10/11, device drivers can also be attestation signed. Oh, my .........

If these posted drivers are device drivers, they have the capability to deploy a kernel mode rootkit if they are indeed malicious. Also there is no way these drivers can be detected at system startup time if designated as boot drivers since they load prior to AV's ELAM driver loading.

If these drivers are judged malicious, they need to be reported to Microsoft so that they can be added to Win 10/11 internal driver block list that finally works right: https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-vulnerable-driver-blocklist-sync-issue/ . Note that this Win 10/11 driver block list feature only works if HV Core Isolation - Memory Integrity setting is enabled in Win Security Center Device security section.

Edited November 13, 2022 by itman

[itman 1,659]

Very interesting.

Looks like the OP was correct in his assessment that these drivers were rootkits. Eset, Dr. Web, and Fortinet now detect and classify them as rootkits: https://www.virustotal.com/gui/file/f3b017cf469aa4e76b1e9b67c6462a0b5d9ebbfc550c1bf3f65e9ccdf88f2447 .

Kudos to CloudStrike for detecting them at first sight.

Edited November 15, 2022 by itman

[itman 1,659]

I also wonder is this incident is related to this: https://thehackernews.com/2022/11/researchers-say-china-state-backed.html .

The main requirement for issuance of a Microsoft attestation code signing cert. is the submitter must provide the code signed with a CA issued EV code signing cert..

Edited November 16, 2022 by itman