Cisco Talos uncovered RedDriver, an undocumented driver-based browser hijacker that uses Windows Filtering Platform to intercept and tamper with browser traffic, active since at least 2021. It forges its driver signatures with HookSignTool, leverages UPX-packed binaries and ReflectiveLoader, and targets native Chinese-speaking users through a multi-stage infection chain that redirects traffic to localhost. #RedDriver #HookSignTool #WindowsFilteringPlatform #ReflectiveLoader #UPX #iCafe #DungeonFighterOnline
Keypoints
- RedDriver is an undocumented driver-based browser hijacker that uses Windows Filtering Platform to intercept browser traffic.
- The malware forges its signature timestamp with HookSignTool to bypass Windows driver-signing policies.
- The infection chain relies on UPX packing and a ReflectiveLoader32 component to inject a DnfClient payload into a remote process.
- It hijacks traffic by redirecting browser requests to localhost (127.0.0.1) using a hardcoded list of target browser process names (focused on Chinese-language browsers).
- The campaign appears to target native Chinese speakers, with several indicators including language-specific names, C2 domains in China, and references to China-origin software.
- The authors are depicted as highly skilled in driver development, reuse open-source tools (HP-Socket, ReflectiveLoader), and show signs of a software-development mindset (e.g., a Jenkins path in the PDB).
MITRE Techniques
- [T1055.012] Reflective DLL Injection – The infection chain uses ReflectiveLoader32 to inject the DnfClient resource into a remote process. “DnfClientShell32 uses the ReflectiveLoader32 binary in its resource section to inject the DnfClient resource into a remote process.”
- [T1027] Obfuscated/Compressed Files and Information – Initial delivery is UPX-packed: “The infection chain begins with a single executable packed with Ultimate Packer for eXecutables (UPX), named “DnfClientShell32.exe.””
- [T1105] Ingress Tool Transfer – The DnfClient begins communications to download the RedDriver payload from C2: “DnfClient begins encrypted communications with the command and control (C2) infrastructure to initiate the download of the RedDriver payload.”
- [T1071.001] Web Protocols – The malware uses C2 communications to operate and download payloads, i.e., web-based protocol channels for command and control.
- [T1112] Modify Registry – A root certificate is silently installed via a registry key: “MACHINESOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES9743EE39882EFD63036E6EAD3AFFD6D765628161.”
- [T1057] Process Discovery – The malware searches for and hijacks “a hardcoded list of Chinese language browser process names.” “
Indicators of Compromise
- [Domains] context – poilcy.itosha.top, newport.tofu77.top, workpoilcy.zhedwe.top, reserve.itosha.top, file.zhedwe.top, red.zhedwe.top, aireport.umpteen.top, q5y2qclsk18.malaji.top, laomao.run, and 1 more domain
- [IPs] context – 47.109.63.172, 8.137.97.186, 47.109.66.222, and 2 more IPs
- [Hashes] context – 5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e, 9e59eba805c361820d39273337de070efaf2bf804c6ea88bbafc5f63ce3028b1, c96320c7b57adf6f73ceaf2ae68f1661c2bfab9d96ffd820e3cfc191fcdf0a9b
- [Files] context – DnfClientShell32.exe, DnfClient, ReflectiveLoader32
- [Registry Keys] context – MACHINESOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES9743EE39882EFD63036E6EAD3AFFD6D765628161
Read more: https://blog.talosintelligence.com/undocumented-reddriver/