In July, security researchers revealed a sobering discovery: hundreds of pieces of malware used by multiple hacker groups to infect Windows devices had been digitally signed and validated as safe by Microsoft itself. On Tuesday, a different set of researchers made a similarly solemn announcement: Microsoft’s digital keys had been hijacked to sign yet more malware for use by a previously unknown threat actor in a supply-chain attack that infected roughly 100 carefully selected victims.
The malware, researchers from Symantec’s Threat Hunter Team reported, was digitally signed with a certificate for use in what is alternatively known as the Microsoft Windows Hardware Developer Program and the Microsoft Windows Hardware Compatibility Program. The program is used to certify that device drivers—the software that runs deep inside the Windows kernel—come from a known source and that they can be trusted to securely access the deepest and most sensitive recesses of the operating system. Without the certification, drivers are ineligible to run on Windows.
Hijacking keys to the kingdom
Somehow, members of this hacking team—which Symantec is calling Carderbee—managed to get Microsoft to digitally sign a type of malware known as a rootkit. Once installed, rootkits become what’s essentially an extension of the OS itself. To gain that level of access without tipping off end-point security systems and other defenses, the Carderbee hackers first needed its rootkit to receive the Microsoft seal of approval, which it got after Microsoft signed it.