Threat actors often look for ways to legitimize their cyberattacks. By this, I mean they look for ways to make their malware look authentic to trick unwitting victims. If there can be a shred of legitimacy to the malware, it stands a better chance of fooling people. That is why the new “FiveSys” malware is dangerous, because it has a digital signature from Microsoft.
No, Microsoft is not dabbling in cyberattacks on the side. What is really happening is somehow the group behind the malware were able to get Microsoft to provide a WHQL certification signature.
Bitdefender reports FiveSys is a malicious driver rootkit that has a Windows Hardware Quality Labs (WHQL) certification. This is something Microsoft gives to software after spending time verifying driver packages are secure on the Windows Hardware Compatibility Program (WHCP).
It is unclear how the threat actors were able to get the certification. However, the rootkit tries to move online traffic on a target machine via a proxy (from a list of 300 potential domains).
“The redirection works for both HTTP and HTTPS; the rootkit installs a custom root certificate for HTTPS redirection to work. In this way, the browser doesn't warn of the unknown identity of the proxy server,” Bitdefender explains.
It seems that FiveSys is only spreading in China, which could mean the group behind the malware are actively targeting users in the country.
“Besides redirecting internet traffic, the rootkit also blocks loading of drivers from other malware writing groups, as they are probably attempting to limit competitor threat actors' access to the compromised system.”
Bitdefender informed Microsoft of the rootkit and its WHQL certification and the company since removed the signature.