A Trend Micro analysis uncovers a new signed rootkit loader cluster that acts as a universal kernel-driver loader, enabling second-stage unsigned modules to be loaded in the target system. The activity is linked to a China-based actor (associated with FiveSys), uses WHQL signing abuse, and employs in-memory, stealthy techniques to bypass defenses and persist across reboots. #FiveSys #WHQL #RootkitLoader #TrendMicro
Keypoints
- The threat cluster centers on a signed rootkit whose main binary serves as a universal loader for second-stage unsigned kernel modules.
- The actor is tracked as potentially linked to FiveSys and originates from China, focusing on gaming-sector victims in China.
-
- The loader uses kernel-space networking (WSK) and a Domain Generating Algorithm to contact C&C infrastructure, with hard-coded fallbacks if DNS fails.
-
- Proxy and web-redirect capabilities in a dedicated plug-in show traffic redirection and domain filtering to control outbound communications.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The first-stage driver downloads the second-stage driver from the C&C server. “The first-stage driver is responsible for all network communication with the C&C servers.”
- [T1543.003] Create or Modify System Process: Windows Service – The malware creates a startup service named “BaohuName” to run on reboot. “Finally, it creates a service with the name “BaohuName” that will run when the system starts again.”
- [T1112] Modify Registry – The loader edits the registry to disable UAC/Secure Desktop and to persist/configure components. “the driver disables the User Account Control (UAC) and Secure Desktop mode by editing the registry.”
- [T1562.001] Impair Defenses: Disable Antivirus – The malware disables anti-spyware detection and Windows Defender-related services/keys. “disables the anti-spyware detection from the registry key ‘HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender’”
- [T1179] Hooking – The malware hooks the file system stack via the IRP_MJ_DEVICE_CONTROL handler to intercept/file-system activity. “Hooking the file system stack from the ‘IRP_MJ_DEVICE_CONTROL’ device control handler.”
- [T1027] Obfuscated/Compressed Files and Information – Some samples are obfuscated with VMProtect, indicating stealth obfuscation. “some samples obfuscated with VMProtect.”
- [T1070.004] Indicator Removal on Host: File Deletion – The second-stage payload is moved to memory and the installer deletes its disk copy. “then deletes the file ‘C:WINDOWSSystem32drivers687ae09e.sys’ from the disk.”
Indicators of Compromise
- [Domain] nt32vn1-redyf.gj2oydber4xfa6c.com:10385, ybqjb6.ady4111523.com:10385 – C2 domains used by the first-stage/second-stage communications and redirection.
- [Domain] www.68chuanqi.com, www.ooyy.com, www.v8cq.com, www.bairimen.com, www.980cq.cn – Monitored domains in the proxy/redirect setup.
- [IP] 103.45.162.204:10252, 103.45.162.217:10252 – Proxy/C2 endpoints used after URL filtering changes.
- [File] C:WINDOWSSystem32drivers687ae09e.sys – Self-signed second-stage driver referenced on disk during operation.
- [File] C:UsersAdministratorDesktop111111111.exe – Path noted for a generated executable used by the proxy/redirect flow.
- [Registry] RegistryMachineSoftwarePtMyMem – Registry storage location for staged payloads before disk writeback.
- [Service] BaohuName – Service name created for persistence across reboots.