New Stealthy Universal Rootkit Let Attacker Load second-stage Payload Directly

A self-signed China-originated Rootkit acts as a universal downloader targeting gaming sectors to exfiltrate sensitive information.

The threat actors abuse Microsoft signing portals to sign their drivers in order to pass the security check.

As per the analysis of Trend Micro, the main binary of the malware acts as a universal downloader that downloads a second-stage unsigned kernel module to communicate with C&C.

Stealthy Universal Rootkit Loader

Basically, malicious actors use the below approaches to sign their malicious kernel drivers, Abusing Microsoft signing portals, Using leaked and stolen certificates, and Using underground services.

“Hunting for 64-bit signed rootkits now is not as easy in the days when kernel mode code signing (KMCS) policies mechanisms were introduced as the number of 64-bit signed drivers has increased,” reads Trend Micro report.

Initially, a 64-bit signed driver was installed, which disables the User Account Control (UAC) and Secure Desktop mode by editing the registry and initializing Winsock Kernel (WSK) objects for initiating a network activity with the C&C server.

Subsequently, it uses a Domain Generating Algorithm (DGA) algorithm to generate different domains. It connects to the driver on port 80 and creates a TCP socket for communication.

This downloader receives the data byte from C&C and decrypts the received data, then loads the Portable executable file into memory without writing to the disk.

Second-stage Driver

The downloaded second-stage driver was unsigned and reads the first-stage driver from the disk and, write it to the registry, then deleted it from the disk

In addition to that, it stops Windows Defender software and disables the anti-spyware detection from the registry key“ and SecurityHealthService” in order to evade detection

Finally, the proxy plug-in installs a proxy on the machine and redirects web browsing traffic to a remote proxy machine. 

It first edits the Windows proxy configuration, and then it injects JavaScript inside the browser based on the URL, which might redirect it to another server.

These rootkits will see heavy use from sophisticated groups that have both the skills to reverse-engineer low-level system components and the required resources to develop such tools.