No, Microsoft is not dabbling in cyberattacks on the side. What is really happening is somehow the group behind the malware were able to get Microsoft to provide a WHQL certification signature. Bitdefender reports FiveSys is a malicious driver rootkit that has a Windows Hardware Quality Labs (WHQL) certification. This is something Microsoft gives to software after spending time verifying driver packages are secure on the Windows Hardware Compatibility Program (WHCP). It is unclear how the threat actors were able to get the certification. However, the rootkit tries to move online traffic on a target machine via a proxy (from a list of 300 potential domains). “The redirection works for both HTTP and HTTPS; the rootkit installs a custom root certificate for HTTPS redirection to work. In this way, the browser doesn’t warn of the unknown identity of the proxy server,” Bitdefender explains.

Target

It seems that FiveSys is only spreading in China, which could mean the group behind the malware are actively targeting users in the country. “Besides redirecting internet traffic, the rootkit also blocks loading of drivers from other malware writing groups, as they are probably attempting to limit competitor threat actors’ access to the compromised system.” Bitdefender informed Microsoft of the rootkit and its WHQL certification and the company since removed the signature. Tip of the day: Do you sometimes face issues with Windows 10 search where it doesn’t find files or return results? Check our tutorial to see how to fix Windows 10 search via various methods.

FiveSys Domain Malware Uses Microsoft WHQL Signature to Legitimacy - 22FiveSys Domain Malware Uses Microsoft WHQL Signature to Legitimacy - 1FiveSys Domain Malware Uses Microsoft WHQL Signature to Legitimacy - 55FiveSys Domain Malware Uses Microsoft WHQL Signature to Legitimacy - 69