In December 2023, Sophos X-Ops reported a false positive detection on an executable signed by a valid Microsoft Hardware Publisher Certificate. The file, labeled as a “Catalog Authentication Client Service” by “Catalog Thales,” was suspected to be an attempt to impersonate the legitimate company Thales Group.
Further investigation revealed that the file was previously bundled with a setup file for a product named LaiXi Android Screen Mirroring, a marketing software that can connect hundreds of mobile phones and control them in batches. While the legitimacy of the LaiXi software could not be confirmed, the file under investigation was determined to be a malicious backdoor.
This is not the first time Sophos X-Ops has seen threat actors abusing the Microsoft Windows Hardware Compatibility Program (WHCP). In December 2022, it was reported that attackers had deployed cryptographically-signed drivers in an attempt to disable Sophos endpoint security products. These drivers were signed with a legitimate WHCP certificate.
The findings were reported to the Microsoft Security Response Center, and after validation, the team at Microsoft added the relevant files to its revocation list. The research into this backdoor validates and expands on some findings published by Stairwell in January 2024.
Reference:
