HQ/EMEAFind out how we can help your business
A previously undocumented malicious driver, RedDriver, targets Chinese-speaking Microsoft users and hijacks browser traffic. The operator of this campaign seems to focus on targeting individuals that use native Chine speakers since most of their attacks infect Chinese language browsers.
The initial part of the attack used in this driver is activating an infectious file named DNFClient. Researchers claimed that DNFClient is a lure from a popular game called Dungeon Fighter Online in China.
Next, the campaign downloads RedDriver once a user executes the file. Researchers explained that the hijacking tool is a crucial component for a multi-stage infection process, in which the seizer controls browser traffic and redirects it to localhost.
Hence, the tools could manipulate the OS into trusting unauthorised entities by employing stolen certificates to generate signature timestamps. The technique effectively circumvents Windows’ driver signature enforcement policies.
These capabilities could enable attackers to exploit the Windows Filtering Platform to intercept browser traffic. Furthermore, researchers said that Microsoft’s Windows Hardware Developer Program (MWHDP) certify drivers that could be for malicious purposes in the post-exploitation stages.
RedDriver was initially a tool that could compromise internet cafes.
According to an investigation, the previous version of RedDriver includes software intended for internet café usage. The proof of this detail is that it includes names associated with internet café management software, browsers, and graphics card drivers.
In addition, the researchers noted the expertise of the RedDriver developers in creating malicious drivers that exhibit stability and avoid crashes, which is a challenging task to accomplish. Implementing WFP is a complex method that commonly demands extensive driver development expertise.
Furthermore, the RedDriver authors show familiarity and experience with software development lifecycles, implying a skill set acquired through experience.
Cybersecurity researchers remain unsure about the primary objective of the browser traffic redirection executed by the RedDriver hijacker. However, the software could still threaten any system infected with the malware.
However, utilising such drivers could allow an attacker several capabilities, such as evading endpoint detection, manipulating both system and user mode processes, and establishing persistence on a compromised system.
