Research finds that FiveSys rootkit obtains Microsoft WHQL signature and launches an attack

The digital certificate is used to verify the software developer and to ensure that the software is not tampered with, and the WHQL signature is a digital certificate specially used for driver programs launched by Microsoft.

Microsoft usually conducts a rigorous review of such driver signatures, and it turns out that even rigorous reviews may have malware successfully obtained Microsoft’s signature.

Well-known security software developer Bitdefender recently discovered an active malware in China that carries a digital certificate issued by Microsoft.

This allows the malware to trick users into gaining trust during installation, and at the same time, the system-level Microsoft authentication signature also allows it to gain higher operating permissions.

The investigation found that the name of this malware is FiveSys, and it is currently only found to be running in China and mainly targeted at Chinese online game players for malicious operations.

After the malware is installed, it will automatically set up a network proxy, then install a self-signed digital certificate in the system, and then start hijacking the user’s network traffic.

“The main purpose of the rootkit is to redirect internet traffic and route it to a custom proxy server. To achieve this, the
driver serves locally a Proxy Autoconfguration Script to the browser. The driver will periodically update this autoconfiguration script. The script has a list of domains/URLs for which it
redirects traffic to an endpoint under the attacker’s control.” reads the report published by Bitdefender.

Since the self-signed digital certificate is installed and the browser has been trusted, the browser will not issue any prompts when the user visits certain sites and is hijacked.

Bitdefender believes that the main purpose of the malware is to steal the accounts and virtual assets of game players, and it also targets some popular online game players.

In order to prevent itself from being removed, the malware will also be protected by various strategies, such as preventing users from modifying the registry or installing other similar malware.