China's gaming sector has been subjected to new attacks by China-based threat actors leveraging a novel Microsoft-signed rootkit that could communicate with attackers' infrastructure, reports The Hacker News.
Trend Micro researchers have identified various variants of the rootkit composed of eight different clusters, with the Windows Hardware Quality Labs used to sign 75 of the drivers used in the attack in 2022 and 2023. After deactivating the User Account Control and Secure Desktop mode, the initial-stage driver facilitates the retrieval of second-stage plugins that have different functions. Such a campaign has been attributed to threat actors behind the FiveSys rootkit.
"Malicious actors will continue to use rootkits to hide malicious code from security tools, impair defenses, and fly under the radar for long periods of time. These rootkits will see heavy use from sophisticated groups that have both the skills to reverse-engineer low-level system components and the required resources to develop such tools," said researchers.