Big Surprise: Chinese PUPs Deliver Backdoored Drivers

Affects all Win versions other than latest Win 10 Insider Preview builds.

https://www.bleepingcomputer.com/news/security/big-surprise-chinese-pups-deliver-backdoored-drivers/

 

So it looks like this driver is signed so it can be installed?

 

Don't believe so. It is doing this: The first is a defeat for the Driver Signature Enforcement, a Windows security feature that lets users install digitally signed drivers only from trusted software developers. I have already personally seen one instance of this happening on a Win 10 x64 PC although couldn't ID the malware source. In this instance it installed a kernel mode driver from the user temp directory which definitely is not supposed to allowed in Win 10 x64. However, Process Explorer does exactly this but its driver is signed.

-EDIT- A bit more detail about this incident which was hideous to say the least. The malware modified the registry to load the kernel driver from User Temp directory at boot time. However, I could find no trace of the driver in User Temp or Win driver directories. Appears the malware deleted the driver after installing the backdoor. The name of the driver pointed me to a driver used in an AV vendor system utility. This implies that somehow the malware developer hijacked a valid Microsoft code signed driver. Note that Win 10 will only allow Microsoft code signed kernel drivers.

I assume but not sure that Win 10 Secure Boot would have prevented this but that feature is N/A for Win 10 Home versions.

 

For recent Windows 10 versions, the driver won't load past build 14393 or version 1607.
That was quoted on this page https://www.bleepingcomputer.com/news/security/big-surprise-chinese-pups-deliver-backdoored-drivers/ at the end.

 

This "puppy" does not use a signed driver. It is a complete bypass of driver signature enforcement:

https://blog.malwarebytes.com/threat-analysis/2017/03/helpdetectwz-chinese-backdoor-drivers/

 

Only because it's coding is looking for specific Win 10 builds. Soon as Creators update is released, it just has to be updated with its build ID.

 

Are you sure that this is a reason? 1607 has been released for more than half a year. Also in 1607 MS enforced driver signing:

https://blogs.msdn.microsoft.com/wi...r-signing-changes-in-windows-10-version-1607/

Is this only coincidence or did this break driver loading procedure?

 

That is what the Malwarebytes article states:

 

OK, thnx. So it runs on 1607.

 

Here's another DSE bypass: http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3322
-EDIT- In this case, it exploited the following vulnerability:

Also from everything I gleaned from the Malwarebytes article, the driver is loaded dynamically so Secure Boot wouldn't prevent this Chinese PUP malware.

 

In regards to this, you omitted one important detail:

So anyone whom upgraded to Win 10 is screwed.

 

Also from the Malwarebytes article, this backdoor has existed since 2013:

 

Yes I saw that. It seems that they are afraid of breaking systems with outdated drivers. Security wise not good decision, but it will probably save their users from a lot of headache.

 

Ok does this mean they found AV programs on VT? Like those listed here on Wilders that some people here use?

I see the POC code for loading an unsigned drive in in the Malwarebytes blog.

The exe in the code is flagged on VT bye 4.

 

Don't know what you exactly mean. The Malwarebytes article states author found sigs., samples, or both for previous Chinese apps using almost identical drivers as the current malware. He never mentioned by name the apps or any other ID data on them at VT.

Give it a shot Good test for Cylance .................

 

I will in a VM. I don't think it is VM aware and am running latest insider update. Cylance quarantines the file right after they are unzipped. It did not make a peep on this file.

 

The Chinese malware is.

Don't know about the Githib POC code though.

 

My main test will see if my Windows version allows it.

 

Ok screen is what I get from the POC.

 

Appears SmartScreen is blocking the POC code by blacklisting its hash. You will have to disable native SS protection in Win 10 to test.

 

Appguard and Voodoo.

 

Appguard is blocking the "payload" from executing as it should.

Not impressed with the VoodooShield alert. All it says is it has been previously detected by blacklisting. You already knew that from the SmartScreen alert.

 

Even more interesting, some of these similar drivers have some obfuscated code, up to and including being packed with VMProtect:
https://blog.malwarebytes.com/threat-analysis/2017/03/helpdetectwz-chinese-backdoor-drivers/

 

Crowdstrike thought it was 81 % malicious. yup already knew about the VMProtect.

 

Voodoo did suggest to block the file.