Cisco Talos has discovered an undocumented malicious driver called RedDriver that targets Chinese-speaking users and hijacks browser traffic. The attackers behind this threat seem to specifically aim at individuals who are native Chinese speakers, as they actively seek out Chinese language browsers to hijack.
Furthermore, it is probable that the authors of this threat are Chinese speakers themselves. The attacks have not yet been attributed to any cybercrime group.
Diving into details
The attack commences with the activation of a malicious file named DNFClient, which is named after the popular game Dungeon Fighter Online in China.
- Once this file is executed, it triggers the download of RedDriver, a component that Cisco describes as crucial in a multi-stage infection process that ultimately seizes control of browser traffic and redirects it to localhost.
- RedDriver essentially manipulates the operating system into trusting unauthorized entities by employing stolen certificates to forge signature timestamps. This technique effectively circumvents Windows' driver signature enforcement policies.
- This enables the hackers to leverage the Windows Filtering Platform (WFP) for intercepting browser traffic.
Furthermore, experts discovered that drivers certified by Microsoft's Windows Hardware Developer Program (MWHDP) were being utilized for malicious purposes in post-exploitation activities.
Why is RedDriver scary?
- The investigation revealed that a previous version of RedDriver was bundled with software intended for use in internet cafes, as evidenced by the inclusion of names associated with internet cafe management software, graphics card drivers, and browsers.
- The researchers noted the expertise of the RedDriver creators in developing malicious drivers that exhibit remarkable stability and avoid crashes, which is a difficult feat to accomplish.
- Implementing WFP is a complex process that typically demands extensive driver development expertise.
- The authors of RedDriver also exhibited familiarity or experience with software development lifecycles, indicating a skill set acquired through prior development experience.
The bottom line
Cisco Talos researchers remain uncertain about the ultimate objective of the browser traffic redirection caused by RedDriver. Nonetheless, it poses a substantial threat to any system infected with the malware. Considering the attacker's viewpoint, utilizing a malicious driver offers various advantages, including but not limited to evading endpoint detection, manipulating both system and user mode processes, and ensuring persistent presence on an infected system.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/66fc_shutterstock_2326785953.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/6bde_shutterstock_457494463.jpg)
