Connect with us

Hi, what are you looking for?

Cyber Security

New Stealthy Universal Rootkit Let Attacker Load second-stage Payload Directly

A self-signed China-originated Rootkit acts as a universal downloader targeting gaming sectors to exfiltrate sensitive information.

The threat actors abuse Microsoft signing portals to sign their drivers in order to pass the security check.

As per the analysis of Trend Micro, the main binary of the malware acts as a universal downloader that downloads a second-stage unsigned kernel module to communicate with C&C.

Stealthy Universal Rootkit Loader

Basically, malicious actors use the below approaches to sign their malicious kernel drivers, Abusing Microsoft signing portals, Using leaked and stolen certificates, and Using underground services.

“Hunting for 64-bit signed rootkits now is not as easy in the days when kernel mode code signing (KMCS) policies mechanisms were introduced as the number of 64-bit signed drivers has increased,” reads Trend Micro report.

Initially, a 64-bit signed driver was installed, which disables the User Account Control (UAC) and Secure Desktop mode by editing the registry and initializing Winsock Kernel (WSK) objects for initiating a network activity with the C&C server.

Subsequently, it uses a Domain Generating Algorithm (DGA) algorithm to generate different domains. It connects to the driver on port 80 and creates a TCP socket for communication.

This downloader receives the data byte from C&C and decrypts the received data, then loads the Portable executable file into memory without writing to the disk.

Second-stage Driver

The downloaded second-stage driver was unsigned and reads the first-stage driver from the disk and, write it to the registry, then deleted it from the disk

In addition to that, it stops Windows Defender software and disables the anti-spyware detection from the registry key“ and SecurityHealthService” in order to evade detection

Finally, the proxy plug-in installs a proxy on the machine and redirects web browsing traffic to a remote proxy machine. 

It first edits the Windows proxy configuration, and then it injects JavaScript inside the browser based on the URL, which might redirect it to another server.

These rootkits will see heavy use from sophisticated groups that have both the skills to reverse-engineer low-level system components and the required resources to develop such tools.

Source: https://cybersecuritynews.com/new-stealthy-universal-rootkit/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

In recent findings from Check Point Research, a significant phishing attack targeting more than 40 prominent Colombian companies has been uncovered.  The attackers behind this campaign...

Cyber Security

According to recent reports, a threat actor has compromised the confidential information of 3,200 Airbus vendors. The exposed data includes sensitive details such as...

Cyber Security

A group of Researchers unearthed critical code Proton Mail vulnerabilities that could have jeopardized the security of Proton Mail, a renowned privacy-focused webmail service. ...

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO