www.trendmicro.com
Open in
urlscan Pro
2.17.189.179
Public Scan
URL:
https://www.trendmicro.com/en_us/research/23/g/hunting-for-a-new-stealthy-universal-rootkit-loader.html
Submission: On July 12 via api from TR — Scanned from DE
Submission: On July 12 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro" data-equally-id="equally_ai___QPBPF">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
Business
search close
* Solutions
* By Challenge
* By Challenge
* By Challenge
Learn more
* Understand, Prioritize & Mitigate Risks
* Understand, Prioritize & Mitigate Risks
Improve your risk posture with attack surface management
Learn more
* Protect Cloud-Native Apps
* Protect Cloud-Native Apps
Security that enables business outcomes
Learn more
* Protect Your Hybrid World
* Protect Your Hybrid, Multi-Cloud World
Gain visibility and meet business needs with security
Learn more
* Securing Your Borderless Workforce
* Securing Your Borderless Workforce
Connect with confidence from anywhere, on any device
Learn more
* Eliminate Network Blind Spots
* Eliminate Network Blind Spots
Secure users and key operations throughout your environment
Learn more
* See More. Respond Faster.
* See More. Respond Faster.
Move faster than your adversaries with powerful purpose-built XDR,
attack surface risk management, and zero trust capabilities
Learn more
* Extend Your Team
* Extend Your Team. Respond to Threats Agilely
Maximize effectiveness with proactive risk reduction and managed
services
Learn more
* By Role
* By Role
* By Role
Learn more
* CISO
* CISO
Drive business value with measurable cybersecurity outcomes
Learn more
* SOC Manager
* SOC Manager
See more, act faster
Learn more
* Infrastructure Manager
* Infrastructure Manager
Evolve your security to mitigate threats quickly and effectively
Learn more
* Cloud Builder and Developer
* Cloud Builder and Developer
Ensure code runs only as intended
Learn more
* Cloud Security Ops
* Cloud Security Ops
Gain visibility and control with security designed for cloud
environments
Learn more
* By Industry
* By Industry
* By Industry
Learn more
* Healthcare
* Healthcare
Protect patient data, devices, and networks while meeting regulations
Learn more
* Manufacturing
* Manufacturing
Protecting your factory environments – from traditional devices to
state-of-the-art infrastructures
Learn more
* Oil & Gas
* Oil & Gas
ICS/OT Security for the oil and gas utility industry
Learn more
* Electric Utility
* Electric Utility
ICS/OT Security for the electric utility
Learn more
* Federal
* Federal
Learn more
* Automotive
* Automotive
Learn more
* 5G Networks
* 5G Networks
Learn more
* Platform
* Vision One Platform
* Trend Vision One
Our Unified Platform
Bridge threat protection and cyber risk management
Learn more
* Attack Surface Management
* Attack Surface Management
Operationalize a zero trust strategy
Learn more
* XDR (Extended Detection & Response)
* XDR (Extended Detection & Response)
Stop adversaries faster with a broader perspective and better context to
hunt, detect, investigate, and respond to threats from a single platform
Learn more
* Endpoint Security
* Endpoint Security
* Endpoint Security Overview
Defend the endpoint through every stage of an attack
Learn more
* Workload Security
* Workload Security
Optimized prevention, detection, and response for endpoints, servers,
and cloud workloads
Learn more
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Cloud Security
* Cloud Security
* Trend Cloud One
Cloud Security Overview
The most trusted cloud security platform for developers, security
teams, and businesses
Learn more
* Cloud Security Posture Management
* Cloud Security Posture Management
Leverage complete visibility and rapid remediation
Learn more
* Container Security
* Container Security
Simplify security for your cloud-native applications with advanced
container image scanning, policy-based admission control, and container
runtime protection
Learn more
* File Storage Security
* File Storage Security
Security for cloud file/object storage services leveraging cloud-native
application architectures
Learn more
* Network Security
* Network Security
Advanced cloud-native network security detection, protection, and cyber
threat disruption for your single and multi-cloud environments.
Learn more
* Open Source Security
* Open Source Security
Visibility and monitoring of open source vulnerabilities for SecOps
Learn more
* Cloud Visibility
* Cloud Visibility
As your organization continues to move data and apps to the cloud and
transform your IT infrastructure, mitigating risk without slowing down
the business is critical.
Learn more
* Network Security
* Network Security
* Network Security Overview
Expand the power of XDR with network detection and response
Learn more
* Network Intrusion Prevention (IPS)
* Network Intrusion Prevention (IPS)
Protect against known, unknown, and undisclosed vulnerabilities in your
network
Learn more
* Breach Detection System (BDS)
* Breach Detection System (BDS)
Detect and respond to targeted attacks moving inbound, outbound, and
laterally
Learn more
* Secure Service Edge (SSE)
* Secure Service Edge (SSE)
Redefine trust and secure digital transformation with continuous risk
assessments
Learn more
* Industrial Network Security
* Industrial Network Security
Learn more
* Email Security
* Email Security
Stop phishing, malware, ransomware, fraud, and targeted attacks from
infiltrating your enterprise
Learn more
* Mobile Security
* Mobile Security
On-premises and cloud protection against malware, malicious applications,
and other mobile threats
Learn more
* Threat Intelligence
* Threat Intelligence
Keep ahead of the latest threats and protect your critical data with
ongoing threat prevention and analysis
Learn more
* Small & Midsized Business Security
* Small & Midsized Business Security
Stop threats with comprehensive, set-it-and-forget-it protection
Learn more
* All Products, Services and Trials
* All Products, Services and Trials
Learn more
* Research
* Research
* Research
* Research
Learn more
* About Our Research
* About Our Research
Learn more
* Research, News, and Perspectives
* Research, News, and Perspectives
Learn more
* Research and Analysis
* Research and Analysis
Learn more
* Blog
* Blog
Learn more
* Security News
* Security News
Learn more
* Zero Day Initiatives (ZDI)
* Zero Day Initiatives (ZDI)
Learn more
* Services
* Our Services
* Our Services
* Our Services
Learn more
* Service Packages
* Service Packages
Augment security teams with 24/7/365 managed detection, response, and
support
Learn more
* Managed XDR
* Managed XDR
Augment threat detection with expertly managed detection and response
(MDR) for email, endpoints, servers, cloud workloads, and networks
Learn more
* Incident Response
* Incident Response
Our trusted experts are on call whether you're experiencing a breach or
looking to proactively improve your IR plans
Learn more
* Support Services
* Support Services
Learn more
* Partners
* Channel Partners
* Channel Partners
* Channel Partner Overview
Grow your business and protect your customers with the best-in-class
complete, multilayered security
Learn more
* Managed Security Service Provider
* Managed Security Service Provider
Deliver modern security operations services with our industry-leading
XDR
Learn more
* Managed Service Provider
* Managed Service Provider
Partner with a leading expert in cybersecurity, leverage proven
solutions designed for MSPs
Learn more
* Cloud Service Provider
* Cloud Service Provider
Add market-leading security to your cloud service offerings – no matter
which platform you use
Learn more
* Professional Services
* Professional Services
Increase revenue with industry-leading security
Learn more
* Resellers
* Resellers
Discover the possibilities
Learn more
* Marketplace
* Marketplace
Learn more
* System Integrators
* System Integrators
Learn more
* Alliance Partners
* Alliance Partners
* Alliance Overview
We work with the best to help you optimize performance and value
Learn more
* Technology Alliance Partners
* Technology Alliance Partners
Learn more
* Our Alliance Partners
* Our Alliance Partners
Learn more
* Partner Tools
* Partner Tools
* Partner Tools
Learn more
* Partner Login
* Partner Login
Login
* Education and Certification
* Education and Certification
Learn more
* Partner Successes
* Partner Successes
Learn more
* Distributors
* Distributors
Learn more
* Find a Partner
* Find a Partner
Learn more
* Company
* Why Trend Micro
* Why Trend Micro
* Why Trend Micro
Learn more
* The Trend Micro Difference
* The Trend Micro Difference
Learn more
* Customer Success Stories
* Customer Success Stories
Learn more
* The Human Connection
* The Human Connection
Learn more
* Industry Accolades
* Industry Accolades
Learn more
* Strategic Alliances
* Strategic Alliances
Learn more
* About Us
* About Us
* About Us
Learn more
* Trust Center
* Trust Center
Learn more
* History
* History
Learn more
* Diversity, Equity and Inclusion
* Diversity, Equity and Inclusion
Learn more
* Corporate Social Responsibility
* Corporate Social Responsibility
Learn more
* Leadership
* Leadership
Learn more
* Security Experts
* Security Experts
Learn more
* Internet Safety and Cybersecurity Education
* Internet Safety and Cybersecurity Education
Learn more
* Legal
* Legal
Learn more
* Investors
* Investors
Learn more
* Connect with Us
* Connect with Us
* Connect with Us
Learn more
* Newsroom
* Newsroom
Learn more
* Events
* Events
Learn more
* Careers
* Careers
Learn more
* Webinars
* Webinars
Learn more
Back
Back
Back
Back
* Free Trials
* Contact Us
Looking for home solutions?
Under Attack?
0
Back
Folio (0)
Support
* Business Support Portal
* Virus and Threat Help
* Renewals and Registration
* Education and Certification
* Contact Support
* Find a Support Partner
Resources
* Cyber Risk Index/Assessment
* CISO Resource Center
* DevOps Resource Center
* What Is?
* Threat Encyclopedia
* Cloud Health Assessment
* Cyber Insurance
* Glossary of Terms
* Webinars
Log In
* Support
* Partner Portal
* Cloud One
* Product Activation and Management
* Referral Affililate
Back
arrow_back
search
close
Content has been added to your Folio
Go to Folio (0) close
Malware
HUNTING FOR A NEW STEALTHY UNIVERSAL ROOTKIT LOADER
In this entry, we discuss the findings of our investigation into a piece of a
signed rootkit, whose main binary functions as a universal loader that enables
attackers to directly load a second-stage unsigned kernel module.
By: Mahmoud Zohdy, Sherif Magdy, Mohamed Fahmy July 11, 2023 Read time: 10 min
(2643 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
In one of our recent threat hunting investigations, we came across an
interesting new threat activity cluster that we initially thought was a false
positive detection for a Microsoft signed file. However, this turned out to be a
novel piece of a signed rootkit that communicates with a large
command-and-control (C&C) infrastructure for an unknown threat actor that we are
currently tracking and that we believe that is the same threat actor behind the
rootkit FiveSys. This malicious actor originates from China and their main
victims are the gaming sector in China. Their malware seems to have passed
through the Windows Hardware Quality Labs (WHQL) process for getting a valid
signature. We reported our findings to Microsoft's Security Response Center
(MSRC) in June 2023.
The main binary acts as a universal loader that allows the attackers to directly
load a second-stage unsigned kernel module. Each second-stage plug-in is
customized to the victim machine it’s deployed on, with some containing even a
custom compiled driver for each machine. Each plug-in has a specific set of
actions to be carried out from the kernel space.
The found variants are composed of eight main clusters based on the extracted
vendor specific metadata from the SPC_SP_OPUS_INFO fields in the signatures
(Authenticode) revealed various publishers that these variants signed on their
behalf (Figure 1).
Figure 1. The number of samples in each cluster
Figure 2. The number of signed drivers in 2022 and 2023 using Microsoft portal
Malicious actors currently use different approaches to sign their malicious
kernel drivers, typically by:
* Abusing Microsoft signing portals
* Using leaked and stolen certificates
* Using underground services
In this blog entry, we will shed some light on a threat that apparently followed
the first approach: abusing WHQL to have a valid signature on a malicious driver
that can be successfully loaded on recent Windows versions (Figure 3). We will
also provide technical details on this newly discovered malware that comes as a
standalone kernel driver signed directly by Microsoft, which is an evolving
attack vector that has been frequently appearing in today’s malware landscape.
Despite how complex is to build such capabilities, it seems that current
malicious actors are exhibiting competence and consistent usage of such tools,
tactics, and procedures (TTPs), regardless of their final motive and objectives.
Figure 3. Malware that comes as a standalone kernel driver signed directly by
Microsoft
HISTORICAL WHCP ABUSES
Figure 4 shows a timeline for the reported abuses for Windows Hardware
Compatibility Program (WHCP) that led to compromises of the Windows kernel trust
model. In June 2021, the Netfilter rootkit was reported, after which Microsoft
published an advisory detailing that it was used as a means of geo-location
cheating within the gaming community in China. Bitdefender then disclosed
FiveSys in October 2021, a rootkit that was mainly used to target online gamers
with the main goal of credential theft and in-game-purchase hijacking. Finally,
Mandiant reported the last known abuse that revealed Poortry malware, which had
been used in a number of cyberattacks that included ransomware-based incidents.
Figure 4. A timeline for the reported abuses for WHCP
HUNTING APPROACH FOR MODERN ROOTKITS
Hunting for 64-bit signed rootkits now is not as easy in the days when kernel
mode code signing (KMCS) policies mechanisms were introduced as the number of
64-bit signed drivers has increased, as shown in Figure 5. Back then, the volume
of signed drivers with at least one detection was much smaller, also the threat
actor did not favor it because of the higher development cost for modern kernel
rootkits, and the lake of technical capabilities to include kernel rootkits in
their malware arsenal or access to the techniques needed to bypass the security
defenses added to newer Windows versions. This makes hunting for such threats
more difficult, but this does not indicate that such threats have completely
disappeared from today’s malware landscape.
Figure 5. Total number of signed drivers with more than one detection before and
after 2015
As shown in Figure 6, we assessed our Windows kernel driver samples based on:
* Their signed driver’s signature being revoked or otherwise
* Their having one or more positive detections based on malware search engines,
including the VirusTotal malware repository
Table 1 shows how we segregated each set of the threat samples we have gathered:
Samples set Description Set 1 Signed drivers that have not been revoked with
zero positive detection Set 2 Signed drivers that have not been revoked with one
or more positive detection from different engines Set 3 Signed drivers that have
been revoked with zero positive detection Set 4 Signed drivers that have been
revoked with one or more positive detection from different engines
Table 1. Windows kernel driver threat sample sets
Figure 6. Windows kernel driver samples based on their signed drivers being
revoked or otherwise, and their having one or more positive detections
Hunting for new samples submissions from set 1 and set 2 for malicious behavior
(Figure 7) led us to investigate this emerging samples cluster and the
underlying C&C infrastructure serving the second stage plug-ins.
Figure 7. An increase in the number of kernel driver submissions belonging to
sample set 2 from 2020 to May 2022
FIRST STAGE ANALYSIS
Based on the collected samples from this campaign, we identified two different
clusters that share multiple similarities between their samples (Figure 8). We
observed a pattern of having some samples obfuscated with VMProtect and newer
samples with more functionality signed later without any obfuscation, which
indicates that the malicious actor behind these samples is still in the testing
and developing phase.
Figure 8. Two different clusters that share multiple similarities
Most of the samples are “Microsoft Windows Hardware Compatibility
Publisher”-signed drivers. We provide an analysis below for a sample from the
first cluster.
The driver first checks if there is another instance on the driver loaded to
memory (Figure 9) by trying to open the symbolic name “\??\ea971b87”, which is
created by the driver during initialization. If it successfully opened it, the
return error code “0FFFFCFC7” from DriverEntry stops the driver from loading.
Then, if the driver is not already loaded, it creates a symbolic name
“\??\ea971b87” and initializes its handler’s functions; it only uses
“IRP_MJ_DEVICE_CONTROL” and “IRP_MJ_SHUTDOWN” based on the current variants we
had observed (Figures 10 and 11).
Figure 9. Checking if driver is already loaded
Figure 10. Initializing IO handlers
Figure 11. Register shutdown notification handler
Then, the driver checks whether the binary compilation is a debug build or a
release, as shown in Figure 12. In case of a debug build, it prints some debug
messages throughout the execution; this indicates that the current samples are
still under development and testing. Then, the driver disables the User Account
Control (UAC) and Secure Desktop mode by editing the registry and initializes
Winsock Kernel (WSK) objects for initiating a network activity with the C&C
server (Figure 13).
Figure 12. Checking logic if the compilation is a debug build other than a
release
Figure 13. Disabling UAC then initializing WSK objects
Figure 14. Hooking the file system stack from the “IRP_MJ_DEVICE_CONTROL” device
control handler
FIRST-STAGE NETWORK INITIALIZATION
The first-stage driver is responsible for all network communication with the C&C
servers. It initiates all the communication from the kernel space using WSK, a
kernel-mode Network Programming Interface (NPI). With WSK, kernel-mode software
modules can perform network I/O operations using the same socket programming
concepts that are supported by user-mode Winsock2 (Figure 15).
It uses a Domain Generating Algorithm (DGA) algorithm to generate different
domains (Figure 16). If it fails to resolve an address, it connects directly to
fallout Ips that are hard coded inside the driver. It connects to the driver on
port 80 and creates a TCP socket for communication.
Figure 15. WSK-created socket types
Figure 16. Resolve DNS
Figure 17. Resolve DNS
Figure 18. DNS request from the first-stage driver
Figure 19. Connect to C&C server
Then, it periodically connects to the C&C server to get configuration. It has
the option to be a kernel driver loader:
* It receives the data from the C&C server byte by byte (Figure 21)
* It decodes and decrypts the received data (Figure 20)
* It loads the received kernel drivers to the memory directly without writing
it to the disk (Figure 22)
* It parses the received Portable Executable (PE) file and does all the
relocation
* It calls the driver entry point (Figures 23 and 24)
This way, the kernel plug-in will never touch the disk and will be only in
memory, which makes it stealthier and enables it to bypass detections.
Figure 20. Decoding data received from the C&C server
Figure 21. Receiving configuration for stage one
Figure 22. Resolving the functions address used to load the new received driver
Figure 23. Getting driver entry address
Figure 24. Calling the driver entry function
SECOND-STAGE PLUG-INS
The downloaded second-stage driver is self-signed, as it’s completely loaded by
the first-stage loader, bypassing the Windows native driver loader (Figure 25).
Hence, there is no need to sign these second-stage variants. It opens the file
“C:\WINDOWS\System32\drivers\687ae09e.sys” then reads its data and encodes it
(Figure 26). Then, it divides the data into chunks of memory and writes them to
registry path “\Registry\Machine\Software\PtMyMem” alongside its size and MD5
(Figures 27 and 28). After that, it deletes the file
“C:\WINDOWS\System32\drivers\687ae09e.sys” from the disk (Figure 29).
Figure 25. The self-signed driver for the second stage
Figure 26. Reading the file
Figure 27. The file info
Figure 28. The encoded file in the registry
Figure 29. Deleting the file written to the disk
ACHIEVING PERSISTENCE
The first-stage shutdown notification function checks if a kernel plug-in has
been received and loaded in memory from the C&C server for cleanup purposes. It
also checks the registry key “\Registry\Machine\Software\PtMyMem” if it
presents, then it iterates on all its subkeys and decodes the data, writing it
to the disk with the “C:\WINDOWS\System32\drivers\687ae09e.sys” path. Finally,
it creates a service with the name “BaohuName” that will run when the system
starts again.
The first stage alongside the second stage (the plug-in downloaded from the C&C
server) work together as part of the attackers’ self-protection and persistence
method. This technique, combined with the downloaded kernel plug-in from the C&C
server, will be the main persistence mechanism for this driver. The detailed
analysis for this specific second stage plug-in is as follows:
1. The first-stage driver connects to C&C sever to download second-stage driver
2. The second-stage driver reads the first-stage driver from disk and write it
to registry, then deletes it from disk
3. Then, the first-stage and second-stage drivers are only present in memory
4. Before rebooting, the first-stage shutdown notification routine is executed
5. The shutdown routine will read itself from registry, write itself back to
disk, and creates a service that starts the next time the system reboots
DEFENDER TERMINATOR PLUG-IN
The main objective of this driver is to stop Windows Defender software. It first
disables the anti-spyware detection from the registry key
“HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender” (Figure
30), disables the “SecurityHealthService” service (Figure 31), and stops
antivirus checks (Figure 32).
Figure 30. Stopping anti-spyware detection
Figure 31. Stopping the “SecurityHealthService” service
Figure 32. Disabling antivirus checks
It then adds an entry for all Windows Defender processes in the “Image File
Execution Options” registry (Figures 33, 34, and 35), so when any of them
crashes, another process will start (Figure 36). The executable that will start
is “C:\\Users\\Administrator\\Desktop\\111111111.exe,” which indicates that
these plug-ins are customized, and the threat actor is actively developing new
divers as needed. It eventually terminates all Windows Defender processes
(Figure 37).
Figure 33. Adds entry to Image File Execution Options
Figure 34. Debugger value in image file execution
Figure 35. Debugger value in image file execution
Figure 36. Windows Defender processes
Figure 37. Terminating the process
PROXY PLUG-IN
This plug-in is responsible for installing a proxy on the machine and
redirecting web browsing traffic to a remote proxy machine. It first edits the
Windows proxy configuration
“hxxp[:]//4dpyplftay8g90qb7l.kkvgsytcw4hsn3g0nc5r[.]xyz:17654/api/pac/PacReback?key=10252”.
Figure 38. The edited Windows proxy configuration
Then, it injects a JavaScript inside the browser that, based on the URL, might
redirect it to another server (Figure 40). As of May 31, 2023, the observed
script that checks the URL excludes the following suffixes:
* .edu
* .edu:
* .edu/
* .gov
* .gov:
* .gov/
If the URL is one of the domains that is being monitored, it will redirect the
traffic to the following addresses:
* HTTP will be redirected to “nt32vn1-redyf[.]gj2oydber4xfa6c[.]com[:]10385”
* HTTPS will be redirected to “ybqjb6[.]ady4111523[.]com[:]10385”
Here are some of the monitored domains:
* www[.]68chuanqi[.]com
* www[.]ooyy[.]com
* www[.]v8cq[.]com
* www[.]bairimen[.]com
* www[.]980cq[.]cn
It also excludes the following domains (Figure 42):
* www[.]baidu[.]com
* e[.]so[.]com
* www[.]sogou[.]com
Figure 39. The decode function
Figure 40. The URL filter
On January 6, 2023, we observed that the script had changed and started to
exclude all URLs that had the following extensions:
* .edu.
* .edu:
* .edu/
* .js
* .css
* .jpg
* .bmp
Figure 41. The updated URL filter
Figure 42. Excluded domains
Also, it stopped to redirect any of the DGA-generated domains and the proxy
servers were changed to the following:
* HTTP were now redirected to: 103.45[.]162[.]204:10252;
* HTTPS were now redirected to: 103.45[.]162[.]217:10252;
Here are some of the monitored domains:
* Angdao[.]com[.]cn
* www[.]newsensation.com[.]cn
Based on this, we believe that the attacker is optimizing their filter mechanism
to reduce noise.
ATTRIBUTION ANALYSIS
Upon analysis, we have discovered that the drivers and the well-known FiveSys
rootkit exhibit numerous similarities in terms of functionality, code
similarity, infrastructure, and victimology:
* There are similarities in the C&C infrastructure used by both FiveSys and the
newly signed drivers.
* Both the FiveSys rootkit and the second stage of the signed rootkit are
functionality focused on redirecting web browsing traffic to a custom proxy
server controlled by the attacker. Additionally, they both have the
capability to install a custom root certificate to redirect HTTPS traffic.
The primary purpose of the FiveSys rootkit is to monitor and redirect web
traffic, but this functionality has evolved and can now be found in the newly
signed rootkit, indicating advancements in its capabilities.
* The newly signed rootkit shares numerous functions that are identical to
those found in FiveSys, such as hooking the file system functions, and the
pre-create mini-filter function (Figure 44).
Figure 43. BinDiff output
Figure 44. Pre-create mini-filter function similarities between the signed
rootkit (right) and the FiveSys rootkit (left)
* Only Chinese systems have reported instances of FiveSys infections, just like
the newly discovered drivers that our sensors have detected exclusively
within China. One of the suspected entry points for these infections was a
trojanized Chinese game, much like FiveSys.
CONCLUSION
Malicious actors who are actively seeking high-privilege access to Windows
operating systems use techniques that attempt to combat the increased protection
that endpoint protection platform (EPP) and endpoint detection and response
(EDR) technologies provide users and processes. Because of these added layers of
protection, attackers tend to opt for the path of least resistance to get their
malicious code running via the kernel layer or even lower levels. This is why we
believe that such threats will not disappear from threat actors’ toolkits
anytime soon.
Malicious actors will continue to use rootkits to hide malicious code from
security tools, impair defenses, and fly under the radar for long periods of
time. These rootkits will see heavy use from sophisticated groups that have both
the skills to reverse-engineer low-level system components and the required
resources to develop such tools. These malicious actors also tend to possess
enough financial resources to either purchase rootkits from underground sources
or to buy code-signing certificates to build a rootkit. This means that the main
danger involving these kinds of rootkits lies in their ability to hide complex
targeted attacks that will be used early in the kill chain, allowing an attacker
to impair defenses before their actual payloads are launched in victim
environments.
We are currently working to make the indicators of compromise (IOCs) available
to the public as part of our ongoing efforts.
Tags
Latest News | Malware | Research | Cyber Threats
AUTHORS
* Mahmoud Zohdy
Threat Researcher
* Sherif Magdy
Threat Researcher
* Mohamed Fahmy
Threat Researcher
Contact Us
Subscribe
RELATED ARTICLES
* Abusing Web Services Using Automated CAPTCHA-Breaking Services and
Residential Proxies
* Cerber Version 6 Shows How Far the Ransomware Has Come
* Cryptocurrency-Mining Malware: 2018’s New Menace?
See all articles
Try our services free for 30 days
* Start your free trial today
*
*
*
*
*
RESOURCES
* Blog
* Newsroom
* Threat Reports
* DevOps Resource Center
* CISO Resource Center
* Find a Partner
SUPPORT
* Business Support Portal
* Contact Us
* Downloads
* Free Trials
*
*
ABOUT TREND
* About Us
* Careers
* Locations
* Upcoming Events
* Trust Center
*
Select a country / region
United States expand_more
close
THE AMERICAS
* United States
* Brasil
* Canada
* México
MIDDLE EAST & AFRICA
* South Africa
* Middle East and North Africa
EUROPE
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
ASIA & PACIFIC
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Privacy | Legal | Accessibility | Site map
Copyright ©2023 Trend Micro Incorporated. All rights reserved
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1