Threat Signal ReportNetFilter - Rootkit Signed with a Valid Digital Certificate
Description
FortiGuard Labs is aware of reports of a recently discovered rootkit named NetFilter. Netfilter, discovered by security researcher Karsten Hahn, utilizes signed certificates to evade detection. Signed malware containing valid digital certificates are often used by threat actors to evade detection as they are trusted by antivirus and other endpoint security software. Because a company/organization is vetted by a certificate authority (CA) before the issuance of a digital certificate, operating systems and anti virus software treat files signed with these certificates as clean, which ultimately allows the file(s) to operate with impunity.
What makes this latest discovery unique is that the signed certificates are valid Microsoft signed signatures. Details are not available at this time as to how these certificates belonging to Microsoft were used to sign the malware. FortiGuard customers currently running the latest definition sets are protected against known Netfilter samples.
What is a RootKit?
A rootkit is malicious software that can be run at the "root" or "admin" level. All changes to the system that occur in the background often go on undetected as they operate with the highest privileges at the root or admin level, hence the term rootkit.
What are the Technical Details of this Threat?
Preliminary details at this time remain scarce, especially around the distribution, infection vector and malware traits. We will update this Threat Signal with further information, if relevant. Regarding network activity, it appears that all known NetFilter samples have c2 communication with multiple servers in China.
Signing information is as follows:
Microsoft Windows Hardware Compatibility Publisher
Microsoft Windows Third Party Component CA 2012
Microsoft Root Certificate Authority 2010
Why hasn't the Certificate been Revoked?
Usually certificates are revoked by the Certificate Authority (CA) when malware is observed to have been signed using the valid digital certificate. However, a cursory review of the existing certificate used by NetFilter highlights over 17,000 known files that have been signed by this certificate. Revocation would cause underlying chaos because of its wide usage due to many legitimate files currently using this certificate.
What is the Status of Coverage?
Customers running current (AV) definitions are protected from NetFilter by the following:
W64/Agent.AOD!tr
W64/MalDrv.AOD!tr
W32/Agent.ADFG!tr
W64/Agent.L!tr
W32/Agent!tr
W32/PossibleThreat
W32/UPXHack.A
PossibleThreat.FAI
For FortiEDR protections, all published IOC's were added to our Cloud intelligence and will be blocked if executed on customer systems.
All known network IOC's are blocked by the FortiGuard WebFiltering Client.
Is this State Sponsored?
Details are unknown at this time.
How Serious of an Issue is This?
MEDIUM/HIGH. Although a rootkit is serious along with the fact that it is signed by a major organization, there are no reports of observed widespread attacks at this time.
How Widespread is this Attack?
Global. Although our telemetry reveals that this is global in nature, numbers of active infections at this time are low.
Any Other Suggested Mitigation?
Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.
Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.
