Microsoft Signs Malware That Spreads Through Gaming - silversurfer - 29 June 21
Quote:Microsoft signed a driver being distributed within gaming environments that turned out to be a malicious network filter rootkit.
G DATA malware analyst Karsten Hahn first noticed the rootkit, publicly posting the find on June 17 and simultaneously reaching out to Microsoft. Hahn noted that the code – a third-party driver for Windows named Netfilter that has been circulating in the gaming community – connected to an IP address in China.
As Hahn detailed in a security advisory on Friday, G DATA analysts first thought their telemetry had popped up a false positive on a legitimately signed file. But there was nothing wrong with the telemetry, it turned out: It was legitimately malicious, Hahn wrote.
According to WHOIS records, the command-and-control (C2) address – IP 110.42.4.180 – that the malicious Netfilter driver connected to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co. Ltd.
On Friday, Microsoft confirmed the incident, saying that it had launched an internal investigation, has added malware signatures to Windows Defender, and has shared the signatures with security companies. As of Monday morning, 35 security vendors had flagged the file as malicious.
Read more: Microsoft Signed Malware That Spreads Through Gaming | Threatpost
|