Microsoft is investigating an issue where a driver that has been cleared by the Redmond giant may have malicious code embedded within it. Drivers are software that usually acts as a tool for communication between the operating system and specific functions. These drivers are verified for use by Microsoft and only then pushed out to customers.
In this case, a rootkit seems to have slipped through the signing process and targets specific gaming environments to spoof geo-locations systems and play from anywhere.
Microsoft notes that "the malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers."
The rogue malware was spotted by G Data analyst Karsten Hahn who has since shared additional details on the rootkit including the methodology used to install the malware on affected systems.
Once installed on a system, the malware communicates with Chinese C2 IPs, more specifically one that belonged to Ningbo Zhuo Zhi Innovation Network Technology Co. Ltd. Hahn said that the oldest version of the malware dates back to March 17, 2021. This means it has been in circulation for a few months.
As of now, Microsoft is still investigating how the code managed to slip through its verification process and has said that it intends to refine its validation processes to prevent this from happening again.
