Smoke and (screen) mirrors: A strange signed backdoor

Sophos X-Ops analyzed a malicious backdoor disguised as a signed Microsoft WHCP-authenticated executable that was bundled with LaiXi Android screen-mirroring installers and installs as a persistent service. The backdoor embeds a 3proxy binary, uses VMProtect-based obfuscation and simple XOR string encryption for its C2 domain, and several samples were signed with a WHCP certificate before Microsoft revoked the signing (CVE-2024-26234). #LaiXi #WHCP

Keypoints

Threat actors obtained a Microsoft Windows Hardware Compatibility Publisher (WHCP) signature and used it to sign a malicious backdoor executable.
The signed binary was bundled with LaiXi-related installers and claimed Hainan YouHu Technology Co. Ltd as the requesting publisher.
The malware installs as a Windows service named “CatalogWatcher” and launches a worker thread that implements the backdoor functionality.
The sample embeds a 3proxy binary to monitor/intercept network traffic and contains VMProtect calls indicating attempted code virtualization/obfuscation.
Hard-coded C2 domain “catalog[.]micrisoftdrivers[.]com” is stored encrypted and recovered via a simple XOR routine; multiple compilation-timestamped variants exist.
Sophos reported the findings to Microsoft; affected files were added to Microsoft’s revocation list (CVE-2024-26234) and Sophos detects the threat as Mal/Proxcat-A.

MITRE Techniques

[T1553] Subvert Trust Controls – Threat actor acquired a WHCP signature to make the binary appear legitimate. (‘the threat actor managed to obtain a Microsoft Windows Hardware Compatibility Publisher signature from Microsoft’)
[T1036] Masquerading – The malware uses misleading version/metadata and a service name to appear benign. (‘installs itself as a service called ‘CatalogWatcher’, with a service description of ‘Google ADB LoaclSocket [sic] Multi-threading Graphics API’’)
[T1543.003] Create or Modify System Process: Windows Service – The backdoor persists by creating and running as a Windows service. (‘The file executes, it installs itself as a service called ‘CatalogWatcher’’)
[T1027] Obfuscated Files or Information – Use of VMProtect exports and XOR string encryption to hinder analysis. (‘attempt to call the function VmProtectBeginVirtualization()’ and the shown XOR decryption snippet)
[T1040] Network Sniffing – Embeds and uses a proxy (3proxy) to monitor/intercept network traffic on infected systems. (‘The suspicious file embeds a tiny freeware proxy server, called 3proxy… intended to monitor and intercept network traffic’)
[T1071.001] Application Layer Protocol: Web Protocols – The backdoor communicates with C2 using a web-like domain (catalog[.]micrisoftdrivers[.]com) recovered at runtime. (‘The C2 server string “catalog[.]micrisoftdrivers[.]com” … is decrypted via a simple XOR operation’)

Indicators of Compromise

[Domain] C2 / lookalike domain – catalog[.]micrisoftdrivers[.]com (decrypted at runtime)
[File name] Installer / bundle – Laixi_Update_1.0.6.7_b.exe, LaiXi setup installers
[Service name] Persistence – CatalogWatcher (service installed by the malware)
[Certificate publisher] Signing metadata – Hainan YouHu Technology Co. Ltd (original requesting publisher shown in signature)
[Sample hashes] Example SHA256 values from discovered samples – 815e21de6fab4b737c7dd844e584c1fc5505e6b180aecdd209fbd9b4ed14e4b2, 3c931548b0b8cded10793e5517e0a06183b76fa47d2460d28935e28b012e426c, and 11 more hashes

Analysis summary (technical procedure): Starting from a WHCP-authenticated executable, analysts extracted the Authenticode metadata to identify the original requesting publisher (Hainan YouHu Technology Co. Ltd) and cross-referenced the binary with installer bundles linked to LaiXi. Static inspection revealed an embedded 3proxy binary and strings showing the service functionality; dynamic/static traces showed the binary installs a Windows service named “CatalogWatcher”, queues a worker thread via QueueUserWorkItem, and launches the backdoor core from that thread.

The backdoor attempts to hinder analysis by calling a VMProtect export (VmProtectBeginVirtualization) and by storing configuration/C2 strings encrypted; a simple XOR loop decrypts the C2 domain (catalog[.]micrisoftdrivers[.]com). Analysts found multiple compilation-timestamped variants (from Jan–Oct 2023), some signed with WHCP and others unsigned, and extracted several SHA256 hashes corresponding to those variants.

After telemetry and artifact review, Sophos classified detections as Mal/Proxcat-A, reported the findings to Microsoft, and Microsoft added the relevant files to its revocation list (CVE-2024-26234). IOCs and sample details are available in the referenced report and associated repository.