[ad_1]
A Novel Kernel Rootkit
A dropper sample was also uncovered during the campaign that wrote different files to the disk, including a benign executable, a loader for the backdoor and a driver. Upon further investigation into the driver, researchers said that its purpose appears to be to hide and protect malicious artifacts from user-mode components.
“This includes four aspects: files, processes, registry keys and network connections. The driver has four global lists, one for each aspect, that contain the artifacts to hide,” said researchers. “The driver’s IOCTLs [input/output control system calls] allow dynamic configuration of the lists through its control device \Device\crtsys. As such, the dropper uses these IOCTLs to hide the driver’s registry key, the loader and backdoor files, and the loader process.”
The rootkit started by checking the operating system version and whether or not the target machine is running in safe mode, where the operating system begins in diagnostic mode rather than in normal operating mode. Researchers said the rootkit operations used Direct Kernel Object Modification (DKOM), a common rootkit Windows technique utilized to hide potentially damaging third-party processes or files from the task manager and event scheduler.
“For this reason, it relies on specific OS builds as otherwise it may cause the infected machine to crash,” said researchers. “In general, the latest supported build is Windows 10 Creators Update (Redstone 2), released in April 2017.”
Rootkits, often installed as drivers, are a popular tool for attackers to obtain privileges to infected systems, as well as provide them with continual, hidden access. This specific rootkit had capabilities for hiding TCP connections from tools like netstate, hiding registry keys from users leveraging Microsoft’s Registry Editor and other varying mechanisms to hide processes or to prevent process termination.
Researchers also discovered that one of the rootkit’s two compromised digital signatures was also used by another known Chinese APT group, Winnti, to sign some of their tools. Winnti, which has been around since at least 2010, is known to heavily target the gaming industry and has previously used rootkits to modify server functionalities, and used stolen certificates to sign its malware.
“Although both Deep Panda and Winnti are known to use rootkits as part of their toolset, Fire Chili is a novel strain with a unique code base different from the ones previously affiliated with the groups,” said researchers.
[ad_2]
Source link