Chinese hackers have been exploiting a loophole in Windows policies to sign and load malicious kernel mode drivers on compromised systems, granting them elevated privileges and evading detection.
By altering the signing date of malicious drivers before July 29th, 2015, using tools like ‘HookSignTool’ and ‘FuckCertVerify,’ threat actors can utilize older, leaked certificates for privilege escalation.
These tools employ Windows API hooking and code signing manipulation techniques, leaving artifacts in some cases, while others remain undetectable.
The Windows policy loophole was introduced by Microsoft to restrict the loading of kernel mode drivers, but exceptions were made for older drivers. Chinese hackers have been using ‘HookSignTool’ and ‘FuckCertVerify’ to alter the signing date of malicious drivers, exploiting the exception.
‘HookSignTool’ utilizes API hooking and the Microsoft Detours library to perform driver signing, while ‘FuckCertVerify’ modifies signature timestamps. These tools require non-revoked code-signing certificates issued before the policy change in 2015.
Cisco Talos researchers have identified more than a dozen certificates available in GitHub repositories and Chinese forums that can be used with these tools. These certificates, often used for game cracks and bypassing DRM checks, have been employed for malicious purposes, including the signing of the browser hijacker ‘RedDriver.’ Microsoft has revoked the associated certificates and suspended developer accounts involved in this abuse.
The company has released security updates and implemented blocking detections to protect customers from the exploitation of legitimately signed drivers.
Although Microsoft has taken action, the risk persists as additional certificates may still be exposed or stolen. The use of malicious kernel mode drivers highlights the need for ongoing monitoring and proactive security measures.
While Microsoft does not classify this issue as a vulnerability, it underscores the importance of staying vigilant and regularly updating security measures to prevent further abuse of Windows policy loopholes by threat actors.
