Cyber Security News

New Stealthy Universal Rootkit Let Attacker Load second-stage Payload Directly

A self-signed China-originated Rootkit acts as a universal downloader targeting gaming sectors to exfiltrate sensitive information.

The threat actors abuse Microsoft signing portals to sign their drivers in order to pass the security check.

As per the analysis of Trend Micro, the main binary of the malware acts as a universal downloader that downloads a second-stage unsigned kernel module to communicate with C&C.

Stealthy Universal Rootkit Loader

Basically, malicious actors use the below approaches to sign their malicious kernel drivers, Abusing Microsoft signing portals, Using leaked and stolen certificates, and Using underground services.

“Hunting for 64-bit signed rootkits now is not as easy in the days when kernel mode code signing (KMCS) policies mechanisms were introduced as the number of 64-bit signed drivers has increased,” reads Trend Micro report.

Initially, a 64-bit signed driver was installed, which disables the User Account Control (UAC) and Secure Desktop mode by editing the registry and initializing Winsock Kernel (WSK) objects for initiating a network activity with the C&C server.

Subsequently, it uses a Domain Generating Algorithm (DGA) algorithm to generate different domains. It connects to the driver on port 80 and creates a TCP socket for communication.

This downloader receives the data byte from C&C and decrypts the received data, then loads the Portable executable file into memory without writing to the disk.

Second-stage Driver

The downloaded second-stage driver was unsigned and reads the first-stage driver from the disk and, write it to the registry, then deleted it from the disk

In addition to that, it stops Windows Defender software and disables the anti-spyware detection from the registry key“ and SecurityHealthService” in order to evade detection

Finally, the proxy plug-in installs a proxy on the machine and redirects web browsing traffic to a remote proxy machine. 

It first edits the Windows proxy configuration, and then it injects JavaScript inside the browser based on the URL, which might redirect it to another server.

These rootkits will see heavy use from sophisticated groups that have both the skills to reverse-engineer low-level system components and the required resources to develop such tools.


Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.

Recent Posts

WhatsApp Secret Code Feature Lets Users Set Unique Locked Chat Passwords

WhatsApp has announced the rollout of a new feature to safeguard sensitive conversations. The Secret…

12 mins ago

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

12 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

16 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

18 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

19 hours ago