The listings featured on this site are from companies from which this site receives compensation. This influences: Appearance, order, and manner in which these listings are presented.
Disclosure:
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers. These take into consideration the reviewers’ independent and professional examination of the products/services.

Ownership

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Reviews Guidelines

The reviews published on vpnMentor are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

Hackers Target Gaming Sector By Deploying Microsoft Rootkit

Hackers Target Gaming Sector By Deploying Microsoft Rootkit
Zane Kennedy Published on 16th July 2023 Cybersecurity Researcher

Cybersecurity researchers have uncovered a sophisticated cyberattack campaign in China, where hackers utilize a Microsoft-signed rootkit to target the gaming sector.

The investigation by security firm Trend Micro revealed that the malicious actor responsible for this campaign is believed to be the same group behind the notorious FiveSys rootkit, previously discovered in October 2021.

Trend Micro researchers confirmed that the attackers, originating from China, have obtained valid signatures for their malware, possibly by passing through the stringent Windows Hardware Quality Labs (WHQL) process.

The rootkit campaign consists of multiple variants organized into eight distinct clusters. These variants are signed using Microsoft's WHQL program, exploiting the trust associated with legitimate digital certificates. By doing so, the attackers can circumvent detection mechanisms and gain a foothold on targeted systems. Each variant is tailored to the victim's machine, with some even featuring custom-compiled drivers.

The initial-stage driver, signed by Microsoft, functions as a loader, establishing communication with a command-and-control (C&C) server infrastructure. It utilizes the Windows Socket Kernel to facilitate network communication, leveraging a Domain Generating Algorithm (DGA) to generate different domains for resilience. Additionally, the rootkit employs obfuscation techniques to evade detection, indicating ongoing development and testing.

Once established, the attackers deploy second-stage plug-ins, which possess various capabilities for achieving persistence and executing specific actions from the kernel space. These plug-ins include a Defender terminator, intended to disable Microsoft Defender software, and a proxy plug-in that installs a remote proxy server and redirects web browsing traffic.

Notably, these Microsoft-signed rootkits have been primarily detected within the gaming sector in China, potentially infiltrating systems through trojanized Chinese games. Using legitimate digital certificates allows the malware to avoid raising suspicion, making it more difficult for security tools to detect and mitigate the threat.

133 malicious drivers, signed with valid digital certificates, have been discovered. Among them, 81 can disable antivirus software, while the remaining drivers function as covert rootkits, stealthily monitoring sensitive data transmitted over the internet.

The fact that the Windows Hardware Compatibility Program signs these drivers enables attackers to install them on compromised systems undetected, granting them unhindered access to malicious activities.

Microsoft has taken immediate action to address the issue, implementing blocking protections and suspending the accounts responsible for signing the malicious drivers. Microsoft recommends “that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks.”

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.