Open Source Driver Signature Forging Tools
HookSignTool is one of several open source tools being used by attackers to alter the signing date of kernel mode drivers, in order to load malicious drivers signed with stolen or expired certificates. Researchers also found another signature timestamp forging tool, called FuckCertVerifyTimeValidity, that has been publicly available since 2018 and has less functionality than HookSignTool. Both tools hook into the Windows API via a function called CertVerifyTimeValidity, which verifies the validity of the signing date in a file, before altering the timestamp.
“Although HookSignTool has been available since 2019, its popularity and usage appears to be popular with native Chinese speakers,” said researchers. “While it is unclear as to why its popularity has not spread further, it is likely that language barriers have played a part. The authors of both HookSignTool and FuckCertVerifyTimeValidity appear to be native Chinese speakers based on the language used in their respective GitHub repositories.”
Researchers also during their investigation found a PFX file hosted on GitHub, in a fork of FuckCertVerifyTimeValidity, which contained over a dozen code signing, expired certificates. These certificates were part of various data leaks, and have been used widely to forge signatures both on malicious drivers and game cheating software, said researchers; however, it is unclear how they were obtained prior to the leaks. Microsoft has been notified of these certificates and has blocked them, the company said in an advisory on Tuesday.
“Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified,” according to Microsoft. “We’ve suspended the partners’ seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.”
Neal said that it is important for CISOs to understand that defending against malicious drivers is not the same as defending against a user-mode executable, and while methods exist for blocking the drivers based on the signature, it is critical to prevent them from being installed in the first place.
“They inherently work in a different way due to the Windows OS architecture, making them hard to detect post infection,” said Neal. “So having said that, it is important to understand that while malicious drivers are absolutely out there, they should not be the focus of how you defend your endpoints. But that’s not to say that preventative measures shouldn’t be taken for drivers… the most important thing is preventing a threat actor from getting to the stage of an attack where they can install a driver. If a malicious driver was installed on an endpoint, there are some holes in your security posture that need to be closed.”