Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2023-33157

Microsoft Message Queuing Remote Code Execution Vulnerability

CVE-2023-32057

Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2023-33134

Microsoft SharePoint Server Spoofing Vulnerability

CVE-2023-33159

CVE-2023-35309

CVE-2023-33160

Microsoft Teams Information Disclosure Vulnerability

CVE-2023-24881

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic.

Tuesday, July 11, 2023 13:07

*   Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver has been active since at least 2021.
*   RedDriver utilizes HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies.
*   Code from multiple open-source tools has been used in the development of RedDriver's infection chain, including HP-Socket and a custom implementation of ReflectiveLoader.
*   The authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows operating system.
*   This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves.  
    

**RedDriver targets Chinese-speaking users  
**

There are clear indications that the intended victims of this threat are native Chinese speakers. Firstly, the driver contains a hardcoded list of Chinese language browser process names, which are searched for and hijacked. Additionally, in one instance RedDriver contained a list of driver names, many of which were related to multiple Chinese language internet cafe management software products. There are also many indications that the authors of RedDriver are native Chinese speakers themselves.  

**Multi-stage infection chain leads to RedDriver  
**

RedDriver’s infection chain begins with a single executable packed with Ultimate Packer for eXecutables (UPX), named “DnfClientShell32.exe.” The resource section of the DnfClientShell32 binary contains two DLLs, one named “DnfClient” and another, aptly named “ReflectiveLoader32.”

*   DnfClientShell32 - 5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e
*   DnfClient - 9e59eba805c361820d39273337de070efaf2bf804c6ea88bbafc5f63ce3028b1
*   ReflectiveLoader32 - c96320c7b57adf6f73ceaf2ae68f1661c2bfab9d96ffd820e3cfc191fcdf0a9b

The filename “DnfClient” is likely used to masquerade as an identically named executable from a game called “Dungeon Fighter Online,” also referred to as “DNF.” The Dungeon Fighter games are immensely popular in China.

Once executed, DnfClientShell32 uses the ReflectiveLoader32 binary in its resource section to inject the DnfClient resource into a remote process. After the injection process is completed, DnfClient begins encrypted communications with the command and control (C2) infrastructure to initiate the download of the RedDriver payload. DnfClient then opens a listening port to receive redirected browser traffic from RedDriver. To facilitate network communications, DnfClient utilizes code from the open-source library HP-Socket.

**Introducing: RedDriver  
**

During our research into HookSignTool, Cisco Talos observed the deployment of an undocumented malicious driver utilizing stolen certificates to forge signature timestamps, effectively bypassing driver signature enforcement policies within Windows. Its name originates from the string “RedDriver” which is contained within the binary and the file name in its PDB file path: "E:\\\\Project\\\\PTU\\\\PTU\\\\Bin\\\\x64\\\\Release\\\\RedDriver.pdb”.

_RedDriver name within disassembly._

RedDriver is a critical component of a multi-stage infection chain that ultimately hijacks browser traffic and redirects it to localhost (127.0.0.1). The target browser is chosen from a hardcoded list containing the process names of many popular Chinese language browsers as well as Google Chrome and Microsoft Edge.

_Hard-coded list of browser names within RedDriver._

RedDriver imports several functions from FWPKCLNT.sys, a component of the Windows Filtering Platform:

> _“Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for creating network filtering applications. The WFP API allows developers to write code that interacts with the packet processing that takes place at several layers in the networking stack of the operating system. Network data can be filtered and also modified before it reaches its destination,” from Microsoft MSDN._

_RedDriver FWPKCLNT.sys imports._

Using these imported functions, RedDriver redirects traffic from the hijacked browser and replaces the destination IP address with 127.0.0.1, thereby redirecting it to the listening port DnfClient opens. A root certificate is also silently installed on the target system without user interaction, as made evident by the registry entry that is added:

“MACHINE\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT\\CERTIFICATES\\9743EE39882EFD63036E6EAD3AFFD6D765628161”

As of publication time, the end goal of this browser traffic redirection is unclear. However, regardless of intent, this is a significant threat to any system infected with RedDriver, as this allows all traffic through the browser to be tampered with.

While describing the technical aspects of the WFP is outside the scope of this blog post, it is important to understand that these functions allow RedDriver to manipulate browser traffic at the packet level. WFP is a highly complex platform and implementing it successfully speaks to the skills of the authors of RedDriver. To understand the WFP, we recommend referring to the Microsoft documentation on the subject.

To reroute the browser traffic, RedDriver must first register what is referred to as a “callout” using the function “FwpsCalloutRegister1.” To change the IP address to localhost, RedDriver must acquire a handle to the target network traffic using “FwpsAcquireClassifyHandle0” and then pass the handle to “FwpsAcquireWritableLayerDataPointer0.”

_Acquiring network traffic to write to._

Once the appropriate data is acquired, it can perform the necessary alterations to the IP address, thereby rerouting the traffic to localhost.

_Applying the IP changes to network traffic._

**An older example of RedDriver**

During our research into RedDriver, we discovered an earlier version that appears to have been active since at least 2021. While there are differences between the versions, the overall functionality and structure is similar. However, in one instance of an earlier version, RedDriver contained a list of names belonging to dozens of drivers, many of which pertained to software that is Chinese in origin. The drivers in this list appear to be focused on software that would be used in internet cafes, as many of the names belong to internet cafe management software, graphics card drivers and browsers. Below is a non-exhaustive list of some of the names contained within the earlier version of RedDriver:

*   atikmdag.sys — ATI Radeon Kernel Mode Driver Package
*   fastshutdown.sys — iCafe, Sunward Information Technology Co. Ltd
*   genfs.sys — Pubwin, Hintsoft (internet cafe software)
*   genvf64.sys — Pubwin, Hintsoft (internet cafe software)
*   genvf.sys — Pubwin, Hintsoft (internet cafe software)
*   Kboot64.sys — Internet Cafe Butler (网吧管家)
*   nv4\_mini.sys — Nvidia, RIVA TNT
*   qqprotectx64.sys — Tencent QQ (instant messaging)
*   devicepnp64.sys — FaceIt (competitive gaming platform)
*   Tsqbdrv.sys — QQ Browser driver from technology company Tencent

Within a function referred to as “AntiMinifilterThread” in the debug strings, this version of RedDriver checks for the existence of these drivers using the Windows API function “FltEnumerateFilters,” which returns a pointer to the FLT\_FILTER structure containing the list of enumerated drivers. At offset **0x1a8** within this structure is the FLT\_OPERATION\_REGISTRATION structure, which contains the information that RedDriver needs to verify the filter drivers existence.

**RedDriver utilizing HookSignTool to bypass signature enforcement**

To bypass the driver signature enforcement in Windows, RedDriver makes use of HookSignTool, an open-source signature timestamp forging tool. To understand the context of this tool in relation to RedDriver we recommend reading our previous blog on the use of this tool. Several different code-signing certificates have been used to sign RedDriver, all of which are covered in the aforementioned blog post. The certificates we observed being used to sign RedDriver are: Beijing JoinHope Image Technology Ltd. and 北京汇聚四海商贸有限公司.

Cisco Secure products now include detections for these certificates and all certificates discussed in our HookSignTool blog post.Talos has notified Microsoft of the abuse of these certificates, which they promptly took action against.  

Bypassing the driver signature enforcement policies by using HookSignTool allows a threat actor to deploy drivers that would otherwise be blocked from running. RedDriver is a real-world example of this tool being effectively used in a malicious context. Based on our research regarding HookSignTool, RedDriver is not the only family of malicious driver that is utilizing timestamp-forging tools. It is reasonable to expect that signature timestamp forging will see continued use throughout the threat landscape, as the benefits of deploying malicious drivers may become increasingly attractive to threat actors.

**Indications of Chinese-speaking authors**

Based on the language codes in the metadata of the binaries within the RedDriver infection chain, and several other factors described below, we assess with high confidence that RedDrivers authors are native Chinese speakers. While the intent behind RedDriver is unclear, it is not unusual for internet cafes in China to be the target of cybercrime groups based in China. In 2018, over 100,000 computers in internet cafes across China were infected with coin miners, generating over $800,000 USD in “siacoin” for the attackers, who colluded with local computer service firms.

The most readily apparent indicator is the geolocation of the C2 infrastructure. All of the domains we observed during our research resolve to IP addresses located in China.

**Domains associated with RedDriver:**

*   poilcy\[.\]itosha\[.\]top — 47.109.63.172
*   newport\[.\]tofu77\[.\]top — 8.137.97.186
*   workpoilcy.zhedwe\[.\]top — 47.109.66.222
*   reserve.itosha\[.\]top — 47.109.33.213
*   file\[.\]zhedwe\[.\]top — 103.91.208.32
*   red\[.\]zhedwe\[.\]top — 47.109.73.113
*   aireport\[.\]umpteen\[.\]top — 47.108.76.161
*   q5y2qclsk18\[.\]malaji\[.\]top — 47.109.66.222
*   laomao\[.\]run — 47.108.64.162

The RedDriver infection chain utilizes code from multiple open-source tools and code copied from a forum post on a Chinese language forum. An interesting aspect of all of these codebases is that their authors all appear to be native Chinese speakers, as well.

https://github.com/strivexjun/DriverInjectDll

https://www.oschina.net/p/hp-socket

https://github.com/Jemmy1228/HookSigntool/tree/master

Aside from open-source repositories, we located a section of code within the initial binary that drops RedDriver (DnfClientShell32.exe) that was originally posted on bbs\[.\]kanxue\[.\]com, a Chinese language forum. The user who posted the code to the forum states that they have re-interpreted the source code of ReflectiveLoader and implemented their own version.

_Forum post containing ReflectiveLoader rewrite (translated from Chinese)._

There are clear similarities when comparing sections of the code posted by this user to the disassembly of the reflective loading function at 0x00407ca0 in the unpacked initial binary.

_Code section from forum post._

_Section of RedDriver initial binary function at_ 0x00407ca0.

**RedDriver authors are skilled at driver development**

RedDriver was likely developed by highly skilled threat actors as the learning curve for developing malicious drivers is steep. Writing Windows drivers requires a very specific skill set and deep knowledge of the Windows operating system. For example, drivers are highly prone to crashing. However, during our analysis, we did not encounter any crashes or “blue screens of death” (BSOD), which speaks to the authors’ skill. An incorrectly written driver can cause damage to or crash a system even if no malicious intent is present. Furthermore, WFP is a complex platform to implement and generally requires significant driver development experience to fully understand it.

The authors also demonstrated a familiarity or experience with software development lifecycles, another skill set that requires previous development experience. For example, while developing the infection chain, the authors used Jenkins, a tool commonly used by software developers to automate the development, building and testing of software. “Jenkins'' can be seen In the .PDB file path in the debug section of the DnfClient binary :“C:\\Jenkins\\workspace\\DnfClient\\Bin\\DnfClientShell32.pdb”.

Another indicator of the development experience of the authors is the use of specific sections of open-source tools. Rather than using the entire codebase of these tools, the authors of RedDriver borrow and integrate sections of the source code in different stages of the infection chain.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

ClamAV detections are available for this threat:

*   Win.Malware.RedDriver-10006025
*   Win.Tool.DriverInjectDll-10006024

**IOCs**

Indicators of Compromise associated with this threat can be found here.

Undocumented driver-based browser hijacker RedDriver targets Chinese speakers and internet cafes

Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates.

Tuesday, July 11, 2023 13:07

*   Cisco Talos has observed threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015.
*   Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates.
*   We have observed over a dozen code signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open source tools.
*   The majority of drivers we identified that contained a language code in their metadata have the Simplified Chinese language code, suggesting the actors using these tools are frequently used by native Chinese speakers.
*   Cisco Talos has further identified an instance of one of these open-source tools being used to re-sign cracked drivers to bypass digital rights management (DRM).
*   We have released a second blog post alongside this one demonstrating real-world abuse of this loophole by an undocumented malicious driver named RedDriver.  
    

_During the research phase for this blog post we reached out to Microsoft to notify them of our findings. In response, Microsoft has blocked all certificates discussed in this blog and has released an advisory. We would like to thank the Microsoft team for their assistance and cooperation in mitigating this threat._

**Malicious drivers pose a significant threat**

The Windows operating system (OS) is split into two layers, or “modes”: user mode, where the files and applications that users interact with reside, and the kernel mode, where kernel mode drivers and the underpinnings of Windows perform the necessary functions to run the system. Drivers can facilitate communication between these modes via the Windows API through a series of functions contained within system libraries.

Splitting the operating system into two modes creates a highly controlled logical barrier between the average user and the Windows kernel. This barrier is critical to maintaining the integrity and security of the OS, as access to the kernel provides complete access to a system. As such, leveraging a malicious driver can allow an attacker to pass through this barrier, resulting in total compromise of the target system.

_Windows kernel architecture_

Starting in Windows Vista 64-bit to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority. Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection. Requiring signatures on drivers is the most critical component of defending against malicious kernel mode drivers.

Another issue that malicious drivers pose is the difficulty of conducting analysis of samples. Typical sandboxes used to analyze malware do not have the capability to monitor all of the behavior of a driver, meaning much of the analysis must be conducted manually. To further the difficulties posed by driver analysis, threat actors have begun to use code obfuscation on the drivers they deploy with tools such as VMProtect.

From an attacker's perspective, the advantages of leveraging a malicious driver include, but are not limited to, evasion of endpoint detection, the ability to manipulate system and user mode processes, and maintained persistence on an infected system. These advantages provide a significant incentive for attackers to discover ways to bypass the Windows driver signature policies.

Cisco Talos has observed threat actors taking advantage of a Windows policy loophole that allows the forging of signatures on kernel-mode drivers, thereby bypassing the certificate policies within Windows. As we will demonstrate below, this is facilitated by the use of open-source tooling and non-revoked certificates that either expired before or were issued prior to July 29, 2015.

**Windows driver policy loophole allows signature timestamp forging**

Starting with Windows 10 version 1607, Microsoft updated its driver signing policy to no longer allow new kernel-mode drivers that have not been submitted to, and signed by its Developer Portal. This process is intended to ensure that drivers meet Microsoft’s requirements and security standards. In an effort to maintain the functionality and compatibility of older drivers, Microsoft created exceptions for the following:

1.  ___The PC was upgraded from an earlier release of Windows to Windows 10, version 1607.___
2.  ___Secure Boot is off in the BIOS.___
3.  ___Drivers was_ \[sic\] _signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA.___

The third exception creates a loophole that allows a newly compiled driver to be signed with non-revoked certificates issued prior to or expired before July 29, 2015, provided that the certificate chains to a supported cross-signed certificate authority. If a driver is successfully signed this way, it will not be prevented from being installed and started as a service. As a result, multiple open source tools have been developed to exploit this loophole. This is a known technique though often overlooked despite posing a serious threat to Windows systems and being relatively easy to perform due in part to the tooling being publicly available.  

Talos has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification. During our research we identified threat actors leveraging HookSignTool and FuckCertVerifyTimeValidity, signature timestamp forging tools that have been publicly available since 2019 and 2018 respectively, to deploy these malicious drivers. While they have gained some popularity within the game cheat development community, we have observed the use of these tools on malicious Windows drivers unrelated to game cheats. In our blog post revealing RedDriver, a driver-based browser hijacker, we demonstrate a real-world example of HookSignTool being used in a malicious context.

**HookSignTool**

HookSignTool is a driver signature forging tool that alters the signing date of a driver during the signing process through a combination of hooking into the Windows API and manually altering the import table of a legitimate code signing tool. It was originally released in 2019 on the Chinese software cracking forum “52pojie\[.\]cn” by its author “JemmyLoveJenny” and has been available on GitHub since at least 2020.

_Original release of HookSignTool on 52pojie_

In the readme file on the HookSignTool Github, the author specifically mentions the use of the Chinese code signing utility “Digital Signature Tool for Asian Integrity'' (用于亚洲诚信数字签名工具) in conjunction with HookSignTool, although HookSignTool can theoretically be used with any code signing utility. This universal compatibility is achieved through the use of Microsoft Detours, a software package used for instrumenting and monitoring Windows API calls.

Before HookSignTool can be used, several steps must be taken to render it functional. First, it must be compiled and manually added into the import table of the legitimate signing tool as “_HookSigntool.dll!attach_”. To specify the date to forge, the user can pass a date as a command line argument or create a configuration file in the same directory as the code signing tool. Upon execution of the legitimate code signing tool, HookSignTool is loaded into the process and can then intercept and alter the signing date of the target driver.

HookSignTool requires another edit of the code signing tool; the URL strings of the timestamp authorities embedded within the legitimate tool must be replaced with the string “{CustomTimestampMarker-SHA1}” in hexadecimal with 0x00 in between each character. For example, “http\[:\]//timestamp.digicert.com” would be replaced with hexadecimal shown below:

7b 00 43 00 75 00 73 00 74 00 6f 00 6d 00 54 00 69 00 6d 00 65 00 73 00 74 00 61 00 6d 00 70 00 4d 00 61 00 72 00 6b 00 65 00 72 00 2d 00 53 00 48 00 41 00 31 00 7d 00 00 00 00 00

During the signing process, HookSignTool searches for this tag and replaces it with “https://pki\[.\]jemmylovejenny\[.\]tk/”. In addition, the JemmyLoveJenny EV Root CA certificate must also be installed on the system signing the driver, available on the author's personal website as shown below:

_JemmyLoveJenny’s personal website containing the required certificates_

HookSignTool calls the Detours function “DetourAttach” with two parameters: a pointer to the Windows API function to attach to, and a pointer to the “detour” function. The implementation within HookSignTool is shown below:

_Implementation of Detours in HookSignTool._

One of the most critical Windows API functions HookSignTool and FuckCertVerifyTimeValidity attaches to, as made clear by the latter’s name, is CertVerifyTimeValidity, a function that verifies that the signing date of a given file is valid.

_CertVerifyTimeValidity prototype._

By attaching to the _CertVerifyTimeValidity_ function, HookSignTool performs a “detour” to a custom implementation of _CertVerifyTimeValidity_ named _NewCertVerifyTimeValidity._ This allows HookSignTool to pass a custom time in the “pTimeToVerify” parameter, thereby allowing an invalid time to be verified.

To change the signing timestamp during execution, HookSignTool again uses the DetourAttach function to attach to the Windows API function GetLocalTime and detours to another function named _NewGetLocalTime_. This detour replaces the local time with the date supplied by the user that is within the valid range for the certificate being used. Once both GetLocalTime and CertVerifyTimeValidity are detoured, HookSignTool can supply and verify an illegitimate timestamp for the target binary.

By default, HookSignTool leaves artifacts within the signature it forges, enabling users to identify when it has been used on a given driver. One of these artifacts, “JemmyLoveJenny”, is a reference to the author of HookSignTool. Another artifact left behind is “Fake Timestamp Responder”, a rather conspicuous name that replaces the real timestamp authority name. However, the attacker can manually change the names of these artifacts if they have the skillset to do so, increasing the difficulty of identifying when HookSignTool has been used.

**FuckCertVerifyTimeValidity  
**

Originally released on GitHub on December 13th, 2018, FuckCertVerifyTimeValidity (aka FuckCertVerify) does not have as much functionality as HookSignTool, though provides the same end result of forging a signature timestamp. The tool is likely to have been developed for signing game cheating software, and since its release has been copied and uploaded into different GitHub repositories.

FuckCertVerifyTimeValidity works in a similar fashion to HookSignTool in that it uses the Microsoft Detours package to attach to the “CertVerifyTimeValidity” API call and sets the timestamp to a chosen date. Like HookSignTool, a function must be added to the import table of the legitimate signing tool, but in this case it’s “FuckCertVerifyTimeValidity.dll!test”. Unlike HookSignTool, FuckCertVerifyTimeValidity does not leave artifacts in the binary that it signs, making it very difficult to identify when this tool has been used.

_FuckCertVerifyTimeValidity attaching to Windows API_

To successfully forge a signature, HookSignTool and FuckCertVerifyTimeValidity require a non-revoked code signing certificate that expired or was issued before July 29, 2015, along with the private key and password. During our research, we identified a PFX file hosted on GitHub in a fork of FuckCertVerifyTimeValidity that contained more than a dozen expired code signing certificates frequently used with both tools to forge signatures. Many of these certificates are non-revoked and are widely used to forge signatures on game cheating software as well as malicious drivers. Stolen certificates from the 2015 Hacking Team leaks are included within the file, as well as certificates from a leak posted on a Chinese language software cracking forum. However, it is unclear how these certificates were obtained prior to the leaks. Below is a full list of owner names contained within these certificates:

**Hacking Team Certificates:**

*   Open Source Developer, William Zoltan
*   Luca Marcone
*   HT Srl

**Other certificates:**

*   Beijing JoinHope Image Technology Ltd.
*   Shenzhen Luyoudashi Technology Co., Ltd.
*   Jiangsu innovation safety assessment Co., Ltd.
*   Baoji zhihengtaiye co.,ltd
*   Zhuhai liancheng Technology Co., Ltd.
*   Fuqing Yuntan Network Tech Co.,Ltd.
*   Beijing Chunbai Technology Development Co., Ltd
*   绍兴易游网络科技有限公司
*   善君 韦
*   NHN USA Inc.

It is worth noting that any inconsistent capitalization of names in the list above comes directly from the certificates; these errors should not be corrected when used for detection purposes.

_PFX file imported into “Digital Signature Tool for Asian Integrity”_

We identified another certificate being used in the same manner, although it is not contained within the aforementioned PFX file.  

*   北京汇聚四海商贸有限公司 (Beijing Shihai Trading Co Ltd)

**Actors using these tools predominantly Chinese speakers**

Although HookSignTool has been available since 2019, it’s popularity and usage appears to be popular with native Chinese speakers. While it is unclear as to why its popularity has not spread further, it is likely that language barriers have played a part. The authors of both HookSignTool and FuckCertVerifyTimeValidity appear to be native Chinese speakers based on the language used in their respective GitHub repositories. In a set of 300 random samples we identified that contained HookSignTool artifacts, 30% contained the “Chinese (Simplified)” language code within the metadata, 10% contained “English (US)” and 1% “English (British)”, while 51% contained no language code. Of the samples that _did_ contain a language code, “Chinese (Simplified)” accounted for 71% of the sample set.

**Resigned cracked drivers used to bypass DRM**

The signing of malicious drivers isn’t the only issue that arises from the existence of these tools. During our research, we encountered HookSignTool being used to re-sign drivers after being patched to bypass digital rights management. Specifically, in the Chinese software cracking forum “bbs\[.\]wuyou\[.\]net”, the user “Juno\_Jr.” released a cracked version of “PrimoCache” on Nov. 9, 2022.

_Release of a cracked version of PrimoCache (Translated from Chinese)_

To be cracked successfully, the PrimoCache driver needed to be re-signed after patching in order to pass integrity checks within Windows. In the cracked version released on the aforementioned forum post, the patched driver was re-signed with a certificate originally issued to “Shenzhen Luyoudashi Technology Co., Ltd.”, which is contained in the PFX file on GitHub.

_Legitimate PrimoCache driver signature_

_Resigned PrimoCache driver signature_

Despite the warning displayed in the digital signature details above, the cracked driver for PrimoCache still functions properly when installed on Windows 10. This ability to resign a cracked driver removes a significant roadblock when attempting to bypass DRM checks in a signed driver. Generally, a signed driver will not execute if it has been tampered with due to integrity checks within the Windows operating system.  

**Ramifications, risk and defense**

HookSignTool and FuckCertVerifyTimeValidity present a serious threat as the installation of malicious drivers can provide an attacker kernel-level access to a system. These tools can also be used to re-sign a cracked driver to bypass DRM, which may lead to a loss of sales for an organization through software piracy. Aside from these risks, running unverified drivers even if no malicious intent is present can cause damage to a system if the driver is not written properly.

Cisco Talos recommends blocking the certificates mentioned in this blog post, as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. However, it is important to note that compilation dates can be altered to match signature timestamps.

Microsoft, in response to our notification, has blocked all certificates discussed in this blog post. Please refer to the advisory published by Microsoft for further information on their response.

Microsoft implements and maintains a driver block list within Windows, although it is focused on vulnerable drivers rather than malicious ones. As such, this block list should not be solely relied upon for blocking rootkits or malicious drivers.

Cisco Talos has created coverage for the certificates discussed in this blog and will continue to monitor this threat activity to inform future protections. Additionally, we will report any future findings regarding this threat to Microsoft.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 61805-61831 for Snort 2 and 300555-300568 for Snort 3.

**ClamAV detections are available for this threat:**

*   Revoked.CRT.HookSignTool-9999982-1
*   Revoked.CRT.HookSignTool-9999983-1
*   Revoked.CRT.HookSignTool-9999979-1
*   Revoked.CRT.HookSignTool-10000379-0
*   Revoked.CRT.HookSignTool-10000385-0
*   Revoked.CRT.HookSignTool-10000392-0
*   Revoked.CRT.HookSignTool-10000396-0
*   Revoked.CRT.HookSignTool-10000400-0
*   Revoked.CRT.HookSignTool-10000420-0
*   Revoked.CRT.HookSignTool-10000424-0
*   Revoked.CRT.HookSignTool-10000428-0

Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers

A Microsoft Windows policy loophole has been observed being exploited primarily by native Chinese-speaking threat actors to forge signatures on kernel-mode drivers.
"Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates," Cisco Talos said in an exhaustive two-part report shared

A Microsoft Windows policy loophole has been observed being exploited primarily by native Chinese-speaking threat actors to forge signatures on kernel-mode drivers.

"Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates," Cisco Talos said in an exhaustive two-part report shared with The Hacker News. "This is a major threat, as access to the kernel provides complete access to a system, and therefore total compromise."

Following responsible disclosure, Microsoft said it has taken steps to block all certificates to mitigate the threat. It further stated that its investigation found "the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified."

The tech giant, besides suspending developer program accounts involved in the incident, emphasized that the threat actors had already gained administrative privileges on compromised systems prior to use of the drivers.

It's worth pointing out that the Windows maker had rolled out similar blocking protections in December 2022 to prevent ransomware attackers from using Microsoft-signed drivers for post-exploitation activity.

Driver signature enforcement, which requires kernel-mode drivers to be digitally signed with a certificate from Microsoft's Dev Portal, is a crucial line of defense against malicious drivers, which could be potentially weaponized to evade security solutions, tamper with system processes, and maintain persistence.

The new weakness discovered by Cisco Talos makes it possible to forge signatures on kernel-mode drivers, thereby allowing Windows certificate policies to be bypassed.

This is made possible due to an exception carved out by Microsoft to maintain compatibility, which permits cross-signed drivers if they were "signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed \[certificate authority\]."

"The third exception creates a loophole that allows a newly compiled driver to be signed with non-revoked certificates issued prior to or expired before July 29, 2015, provided that the certificate chains to a supported cross-signed certificate authority," the cybersecurity company said.

As a result, a driver signed in this manner will not be prevented from being loaded on a Windows device, thereby enabling threat actors to take advantage of the escape clause to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification.

These rogue drivers are deployed using signature timestamp forging software such as HookSignTool and FuckCertVerifyTimeValidity, which have been publicly available since 2019 and 2018, respectively.

HookSignTool has been accessible via GitHub since January 7, 2020, while FuckCertVerifyTimeValidity was first committed to the code hosting service on December 14, 2018.

"HookSignTool is a driver signature forging tool that alters the signing date of a driver during the signing process through a combination of hooking into the Windows API and manually altering the import table of a legitimate code signing tool," Cisco Talos explained.

Specifically, it involves hooking to the CertVerifyTimeValidity function, which verifies the time validity of a certificate, to change the signing timestamp during execution.

"This tiny project prevents the signtool from verifing \[sic\] cert time validity and let you sign your bin with outdated cert without changing system time manually," the GitHub page for FuckCertVerifyTimeValidity reads.

UPCOMING WEBINAR

🔐 PAM Security – Expert Solutions to Secure Your Sensitive Accounts

This expert-led webinar will equip you with the knowledge and strategies you need to transform your privileged access security strategy.

Reserve Your Spot

"It install hook into crypt32!CertVerifyTimeValidity and make it always return 0 and make kernel32!GetLocalTime return what you want as you can add "-fuckyear 2011" to signtool's command line to sign a cert from year 2011."

That said, pulling off a successful forgery requires a non-revoked code signing certificate that was issued before July 29, 2015, along with the certificate's private key and passphrase.

Cisco Talos said it discovered over a dozen code signing certificates with keys and passwords contained in a PFX file hosted on GitHub in a forked repository of FuckCertVerifyTimeValidity. It's not immediately clear how these certificates were obtained.

What's more, it has been observed that HookSignTool has been used to re-sign cracked drivers in order to bypass digital rights management (DRM) integrity checks, with an actor named "Juno\_Jr" releasing a cracked version of PrimoCache, a legitimate software caching solution, in a Chinese software cracking forum on November 9, 2022.

"In the cracked version \[...\], the patched driver was re-signed with a certificate originally issued to 'Shenzhen Luyoudashi Technology Co., Ltd.,' which is contained in the PFX file on GitHub," Talos researchers said. "This ability to resign a cracked driver removes a significant roadblock when attempting to bypass DRM checks in a signed driver."

That's not all. HookSignTool is also being utilized by a previously undocumented driver identified as RedDriver to forge its signature timestamp. Active since at least 2021, it functions as a driver-based browser hijacker that leverages the Windows Filtering Platform (WFP) to intercept browser traffic and reroute it to localhost (127.0.0.1).

The target browser is chosen at random from a hard-coded list containing the process names of many popular Chinese language browsers like Liebao, QQ Browser, Sogou, and UC Browser, as well as Google Chrome, Microsoft Edge, and Mozilla Firefox.

"I initially found RedDriver while researching certificate timestamp forging on Windows drivers," Chris Neal, outreach researcher for Cisco Talos told The Hacker News. "It was one of the first samples I ran into that was immediately suspicious. What caught my attention was the list of web browsers stored inside the RedDriver file."

The ultimate objective of this browser traffic redirection is not clear, although it goes without saying that such a capability could be abused to tamper with browser traffic at the packet level.

RedDriver infection chains commence with the execution of a binary named "DnfClientShell32.exe," which, in turn, initiates encrypted communications with a command-and-control (C2) server to download the malicious driver.

"We didn't observe the delivery of the initial file, but it's very likely that the file was packaged to masquerade as a game file, and was hosted on a malicious download link," Neal said. "The victim probably thought they were downloading a file from a legitimate source and ran the executable. 'DNFClient' is the name of a file belonging to 'Dungeon Fighter Online' which is an extremely popular game in China and commonly referred to as 'DNF.'"

"RedDriver was likely developed by highly skilled threat actors as the learning curve for developing malicious drivers is steep," Cisco Talos said. "While the threat appears to target native Chinese speakers, the authors are likely Chinese speakers as well."

"The authors also demonstrated a familiarity or experience with software development lifecycles, another skill set that requires previous development experience."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft