Chinese Threat Actors Abusing Windows Policy To Load Malicious Kernel Drivers

Microsoft has taken action to block code signing certificates that have been primarily used by Chinese hackers and developers to sign and deploy malicious kernel mode drivers on compromised systems. These drivers operate at the highest privilege level on Windows, enabling stealthy persistence, undetectable data exfiltration, and the ability to terminate processes. Even if security tools are active, kernel-mode drivers can interfere with their operation and evade detection. While Microsoft implemented policy changes to restrict the loading of kernel-mode drivers, exceptions were made for older drivers, allowing them to continue being loaded. Exploiting this exception, Chinese threat actors have been altering the signing date of malicious drivers to utilize older, leaked certificates and escalate privileges on Windows systems. Read more...