Hackers Exploit Gaping Windows Loophole to Give Their Malware Kernel Access

upstart writes:

Microsoft blocks a new batch of system drivers, but the loophole empowering them remains:

Hackers are using open source software that's popular with video game cheaters to allow their Windows-based malware to bypass restrictions Microsoft put in place to prevent such infections from occurring.

The software comes in the form of two software tools that are available on GitHub. Cheaters use them to digitally sign malicious system drivers so they can modify video games in ways that give the player an unfair advantage. The drivers clear the considerable hurdle required for the cheat code to run inside the Windows kernel, the fortified layer of the operating system reserved for the most critical and sensitive functions.

Researchers from Cisco's Talos security team said Tuesday that multiple Chinese-speaking threat groups have repurposed the tools-one called HookSignTool and the other FuckCertVerifyTimeValidity. Instead of using the kernel access for cheating, the threat actors use it to give their malware capabilities it wouldn't otherwise have.

"During our research we identified threat actors leveraging HookSignTool and FuckCertVerifyTimeValidity, signature timestamp forging tools that have been publicly available since 2019 and 2018 respectively, to deploy these malicious drivers," the researchers wrote. "While they have gained popularity within the game cheat development community, we have observed the use of these tools on malicious Windows drivers unrelated to game cheats."

[...] While attackers who gain such privileges can steal passwords and take other liberties, their malware typically must run in the Windows kernel to perform a large number of more advanced tasks. Under the policy put in place with Vista, all such drivers can be loaded only after they've been approved in advance by Microsoft and then digitally signed by a trusted certificate authority to verify they are safe.

Read more of this story at SoylentNews.