Chinese-speaking Microsoft users have been subjected to attacks involving the RedDriver tool that enables browser traffic takeovers, according to The Record, a news site by cybersecurity firm Recorded Future.
Threat actors behind RedDriver, which is believed to have been used since 2021, commence attacks with the malicious DNFClient file referencing the Dungeon Fighter Online game, which is widely played in China, which then downloads the RedDriver tool, a Cisco Talos report showed.
Signature timestamps are being forged by RedDriver through stolen certificates, enabling it to evade Windows' driver signature enforcement policies and proceed with Windows Filtering Platform utilization to compromise browser traffic. An accompanying report noted the growing exploitation of a Windows loophole to establish the legitimacy of malicious drivers, as evidenced by the RedDriver attacks.
"From an attacker's perspective, the advantages of leveraging a malicious driver include, but are not limited to, evasion of endpoint detection, the ability to manipulate system and user mode processes, and maintained persistence on an infected system," said researchers.