In July, security researchers made a shocking discovery: hundreds of malware used by multiple hacking groups to infect Windows devices were digitally signed and certified as safe by Microsoft itself.
On Tuesday, different researchers did one similar official announcement: Microsoft digital keys were stolen to sign even more malware for use by an unknown attacker in a supply chain attack that infected around 100 carefully selected victims.
The malware, researchers from Symantec's Threat Hunter team said, was digitally signed with a certificate known as Microsoft Windows Hardware Developer Program and the Microsoft Windows Hardware Compatibility Program. This program is used to certify that device drivers – the software that runs deep within the core of Windows – usually come from a known and trusted source to safely access the most sensitive areas of the operating system. Without the certification, the drivers are not suitable to run on Windows.
Somehow, members of this hacking group – which Symantec calls Carderbee – managed to get Microsoft to digitally sign a type of malware known as a rootkit. Once installed, rootkits become an extension of the operating system itself.
To gain this level of access without being blocked by end-point security systems and other defenses, the Carderbee hackers first needed to obtain rootkit certification and Microsoft's seal of approval, which they did.
With the rootkit signed, Carderbee went “a little” further. By means that are not yet clear, the group attacked the infrastructure of Esafenet, a China-based software developer. The company develops the Cobra DocGuard Client, for encrypting and decrypting software so it can't be hacked.
The Carderbee team then pushed malicious updates to around 2.000 organizations that were the company's customers. After that the members of the hacking group started distributing the Microsoft-signed rootkit to about 100 of these organizations.
"It seems clear that the attackers behind this activity were patient and very skilled," Symantec researchers said.
"The fact that they only distribute the rootkit to a few computers suggests planning and target recognition by the attackers behind this activity."