![]() The first-stage shutdown notification function checks if a kernel plug-in has been received and loaded in memory from the C&C server for cleanup purposes. The found variants are composed of eight main clusters based on the extracted vendor specific metadata from the SPC_SP_OPUS_INFO fields in the signatures ( Authenticode) revealed various publishers that these variants signed on their behalf (Figure 1). Each plug-in has a specific set of actions to be carried out from the kernel space. Each second-stage plug-in is customized to the victim machine it’s deployed on, with some containing even a custom compiled driver for each machine. The main binary acts as a universal loader that allows the attackers to directly load a second-stage unsigned kernel module. We reported our findings to Microsoft's Security Response Center (MSRC) in June 2023. Their malware seems to have passed through the Windows Hardware Quality Labs (WHQL) process for getting a valid signature. ![]() This malicious actor originates from China and their main victims are the gaming sector in China. However, this turned out to be a novel piece of a signed rootkit that communicates with a large command-and-control (C&C) infrastructure for an unknown threat actor that we are currently tracking and that we believe that is the same threat actor behind the rootkit FiveSys. In one of our recent threat hunting investigations, we came across an interesting new threat activity cluster that we initially thought was a false positive detection for a Microsoft signed file.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |