Researchers have uncovered an undocumented malicious driver, called RedDriver, which uses an open-source signature timestamp forging tool in order to bypass Microsoft’s Windows driver signature enforcement practices. The malicious driver targets Chinese speaking victims and is being used to intercept browser traffic via the Windows Filtering Platform (WFP).
Researchers with Cisco Talos said that it’s unclear what the end goal is behind this browser traffic redirection; however the ability to tamper with all traffic running through the browser poses “a significant threat to any system infected with RedDriver.” They also warned that the malicious driver, which has been active since 2021, was likely developed by highly skilled threat actors due to the steep learning curve needed for developing malicious drivers.
“RedDriver is a critical component of a multistage infection chain that ultimately hijacks browser traffic and redirects it to localhost (127.0.0.1),” according to Cisco Talos researchers in a Tuesday analysis. “The target browser is chosen from a hardcoded list containing the process names of many popular Chinese language browsers as well as Chrome and Microsoft Edge.”
Chris Neal, outreach researcher for Cisco Talos, said that the nature of drivers and how they fit into the operating system makes it difficult to gain visibility into malicious driver activity. For instance, EDR tools are unlikely to heuristically detect these malicious drivers, limiting any telemetry for researchers, said Neal.
“It’s difficult to get a sense of how widespread RedDriver is,” said Neal. “Based on the functionality, RedDriver is likely targeting Chinese internet cafes and Chinese speaking users, which is very specific. However, based on what I’ve encountered during my research into RedDriver, it does appear to be an effective campaign, although the scope of it is unclear. I regularly see new RedDriver uploads to open source repositories like VirusTotal.”
Malicious Drivers
Despite the high sophistication level needed for malicious driver development, they are gaining traction with cybercriminals because they allow threat actors to break the barrier between the user mode (which consists of applications and files) and the kernel mode (which contains components necessary to run the system) of the Windows operating system. Drivers enable communications between these two modes through the Windows API, so a malicious driver could allow attackers to compromise the targeted system.
Microsoft has fought back against malicious drivers by requiring that driver certificates be signed by a legitimate certificate authority. However, threat actors have successfully bypassed these requirements through a number of methods. They have used an existing code-signing certificate that has been leaked, stolen or bought from an underground marketplace, for instance, or they have obtained a new certificate, either through Microsoft’s approval process by impersonating a legitimate entity or by abusing Microsoft’s portal for issuing the signed kernel modules.
In their research, Cisco Talos researchers found that RedDriver used a driver signature forging tool, called HookSignTool, in order to alter the signing date of a driver during the signing process. HookSignTool targets a loophole in Microsoft’s driver signing policy that allows a newly compiled driver to be signed with non-revoked certificates issued prior to (or expired before) July 29, 2015 as long as the certificates are signed by a legitimate certificate authority. Microsoft created this exception so that there would not be compatibility or functionality problems with older drivers.
“If a driver is successfully signed this way, it will not be prevented from being installed and started as a service,” according to Cisco Talos researchers. “As a result, multiple open source tools have been developed to exploit this loophole. This is a known technique though often overlooked despite posing a serious threat to Windows systems and being relatively easy to perform due in part to the tooling being publicly available.”
Open Source Driver Signature Forging Tools
HookSignTool is one of several open source tools being used by attackers to alter the signing date of kernel mode drivers, in order to load malicious drivers signed with stolen or expired certificates. Researchers also found another signature timestamp forging tool, called FuckCertVerifyTimeValidity, that has been publicly available since 2018 and has less functionality than HookSignTool. Both tools hook into the Windows API via a function called CertVerifyTimeValidity, which verifies the validity of the signing date in a file, before altering the timestamp.
“Although HookSignTool has been available since 2019, its popularity and usage appears to be popular with native Chinese speakers,” said researchers. “While it is unclear as to why its popularity has not spread further, it is likely that language barriers have played a part. The authors of both HookSignTool and FuckCertVerifyTimeValidity appear to be native Chinese speakers based on the language used in their respective GitHub repositories.”
Researchers also during their investigation found a PFX file hosted on GitHub, in a fork of FuckCertVerifyTimeValidity, which contained over a dozen code signing, expired certificates. These certificates were part of various data leaks, and have been used widely to forge signatures both on malicious drivers and game cheating software, said researchers; however, it is unclear how they were obtained prior to the leaks. Microsoft has been notified of these certificates and has blocked them, the company said in an advisory on Tuesday.
“Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified,” according to Microsoft. “We’ve suspended the partners' seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.”
Neal said that it is important for CISOs to understand that defending against malicious drivers is not the same as defending against a user-mode executable, and while methods exist for blocking the drivers based on the signature, it is critical to prevent them from being installed in the first place.
“They inherently work in a different way due to the Windows OS architecture, making them hard to detect post infection,” said Neal. “So having said that, it is important to understand that while malicious drivers are absolutely out there, they should not be the focus of how you defend your endpoints. But that’s not to say that preventative measures shouldn't be taken for drivers... the most important thing is preventing a threat actor from getting to the stage of an attack where they can install a driver. If a malicious driver was installed on an endpoint, there are some holes in your security posture that need to be closed.”