Cisco Talos, among others, was one of the security firms to inform Microsoft about several drivers that were using illegitimate driver certifications. The tech giant acknowledged the issue and suspended all such accounts that were misusing the trust of a WHQL-signed driver.
Cisco also published separately its finding on a RedDriver malware which was using Microsoft's own Windows Filtering Platform (WFP) as it was a browser-hijacker driver using utilities like the HookSignTool to forge signatures. For those unaware, WFP is Windows' network traffic processing platform that succeeded the one in Windows XP and Windows Server 2003.
The Cisco malware analysts were quite impressed with RedDriver's stability, acknowledging the skill required to design it. In the section "RedDriver authors are skilled at driver development", the firm thoroughly praises the competence of the driver's development team as it was apparent how good it was as the security firm did not once encounter a BSOD (blue screen of death) during its analysis of the driver. It writes:
RedDriver was likely developed by highly skilled threat actors as the learning curve for developing malicious drivers is steep. Writing Windows drivers requires a very specific skill set and deep knowledge of the Windows operating system. For example, drivers are highly prone to crashing. However, during our analysis, we did not encounter any crashes or “blue screens of death” (BSOD), which speaks to the authors’ skill. An incorrectly written driver can cause damage to or crash a system even if no malicious intent is present.
While we do not know the intensity or the stressfulness of the test the driver underwent, RedDriver devs might even be able to somewhat brag that the likes of AMD, Nvidia, Intel, or even Microsoft itself, may fail to create such drivers. Jokes aside, one thing that is clear is that Cisco, which has probably analyzed multitudes of such malicious drivers, believes RedDriver is one of the most skillfully crafted ones out there.
Aside from the stability aspect, in general, too, Cisco praises the authors of the RedDriver malware driver noting that integration with WFP is not an easy task, and also acknowledged that the threat actors used sophisticated automation tools like Jenkins:
Furthermore, WFP is a complex platform to implement and generally requires significant driver development experience to fully understand it.
The authors also demonstrated a familiarity or experience with software development lifecycles, another skill set that requires previous development experience. For example, while developing the infection chain, the authors used Jenkins, a tool commonly used by software developers to automate the development, building and testing of software.
Another indicator of the development experience of the authors is the use of specific sections of open-source tools. Rather than using the entire codebase of these tools, the authors of RedDriver borrow and integrate sections of the source code in different stages of the infection chain.
You can find more technical details about RedDriver in Cisco's blog post.
6 Comments - Add comment