Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions

More than a decade ago, rootkits were the apex predators of cybercrime. These clandestine computer programs were built to offer attackers an uninterrupted foothold onto victims’ computers and conceal malicious activities from the operating system as well as from antimalware solutions.
For the past few months, Bitdefender researchers have seen a surge in malicious drivers with valid digital signatures issued through the WHQL signing process.
This research focuses on FiveSys – a digitally signed rootkit that made its way through the driver certification process.
Key Findings
- Bitdefender researchers have identified a rootkit with a Microsoft-issued digital signature;
- The rootkit is used to proxy traffic to Internet addresses that interest the attackers.
- We assume that the rootkit targets online games with the main goal of credential theft and in-game-purchase hijacking
- The rootkit has been targeting computer users for more than a year now
- Rootkit spreading is limited to China and we presume that it is operated by a threat actor with significant interest in the market.
Indicators of Compromise
An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be found in the whitepaper below.
tags
Author
Right now
Top posts
Vulnerabilities Identified in Wyze Cam IoT Device
March 29, 2022
New FluBot and TeaBot Global Malware Campaigns Discovered
January 26, 2022
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately
December 10, 2021
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand
November 08, 2021
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware
September 16, 2021
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021