Undocumented driver-based browser hijacker RedDriver targets Chinese speakers and internet cafes

Summary

Cisco Talos identified RedDriver, a sophisticated malicious driver active since at least 2021 that uses Windows Filtering Platform (WFP) to intercept and redirect browser traffic. The malware specifically targets Chinese-speaking users and internet cafes by hijacking processes of Chinese language browsers and popular browsers like Chrome and Edge. RedDriver employs stolen certificates via HookSignTool to bypass Windows driver-signing policies and includes a multi-stage infection chain using code from open-source tools like HP-Socket and ReflectiveLoader.

Full text

Undocumented driver-based browser hijacker RedDriver targets Chinese speakers and internet cafes By Chris Neal Tuesday, July 11, 2023 13:04 Threat Advisory Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver has been active since at least 2021.RedDriver utilizes HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies.Code from multiple open-source tools has been used in the development of RedDriver's infection chain, including HP-Socket and a custom implementation of ReflectiveLoader.The authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows operating system.This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves.RedDriver targets Chinese-speaking usersThere are clear indications that the intended victims of this threat are native Chinese speakers. Firstly, the driver contains a hardcoded list of Chinese language browser process names, which are searched for and hijacked. Additionally, in one instance RedDriver contained a list of driver names, many of which were related to multiple Chinese language internet cafe management software products. There are also many indications that the authors of RedDriver are native Chinese speakers themselves.Multi-stage infection chain leads to RedDriverRedDriver’s infection chain begins with a single executable packed with Ultimate Packer for eXecutables (UPX), named “DnfClientShell32.exe.” The resource section of the DnfClientShell32 binary contains two DLLs, one named “DnfClient” and another, aptly named “ReflectiveLoader32.”DnfClientShell32 - 5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314eDnfClient - 9e59eba805c361820d39273337de070efaf2bf804c6ea88bbafc5f63ce3028b1ReflectiveLoader32 - c96320c7b57adf6f73ceaf2ae68f1661c2bfab9d96ffd820e3cfc191fcdf0a9bThe filename “DnfClient” is likely used to masquerade as an identically named executable from a game called “Dungeon Fighter Online,” also referred to as “DNF.” The Dungeon Fighter games are immensely popular in China.Once executed, DnfClientShell32 uses the ReflectiveLoader32 binary in its resource section to inject the DnfClient resource into a remote process. After the injection process is completed, DnfClient begins encrypted communications with the command and control (C2) infrastructure to initiate the download of the RedDriver payload. DnfClient then opens a listening port to receive redirected browser traffic from RedDriver. To facilitate network communications, DnfClient utilizes code from the open-source library HP-Socket.Introducing: RedDriverDuring our research into HookSignTool, Cisco Talos observed the deployment of an undocumented malicious driver utilizing stolen certificates to forge signature timestamps, effectively bypassing driver signature enforcement policies within Windows. Its name originates from the string “RedDriver” which is contained within the binary and the file name in its PDB file path: "E:\\Project\\PTU\\PTU\\Bin\\x64\\Release\\RedDriver.pdb”.RedDriver name within disassembly.RedDriver is a critical component of a multi-stage infection chain that ultimately hijacks browser traffic and redirects it to localhost (127.0.0.1). The target browser is chosen from a hardcoded list containing the process names of many popular Chinese language browsers as well as Google Chrome and Microsoft Edge.Hard-coded list of browser names within RedDriver.RedDriver imports several functions from FWPKCLNT.sys, a component of the Windows Filtering Platform:“Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for creating network filtering applications. The WFP API allows developers to write code that interacts with the packet processing that takes place at several layers in the networking stack of the operating system. Network data can be filtered and also modified before it reaches its destination,” from Microsoft MSDN.RedDriver FWPKCLNT.sys imports.Using these imported functions, RedDriver redirects traffic from the hijacked browser and replaces the destination IP address with 127.0.0.1, thereby redirecting it to the listening port DnfClient opens. A root certificate is also silently installed on the target system without user interaction, as made evident by the registry entry that is added:“MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\9743EE39882EFD63036E6EAD3AFFD6D765628161” As of publication time, the end goal of this browser traffic redirection is unclear. However, regardless of intent, this is a significant threat to any system infected with RedDriver, as this allows all traffic through the browser to be tampered with. While describing the technical aspects of the WFP is outside the scope of this blog post, it is important to understand that these functions allow RedDriver to manipulate browser traffic at the packet level. WFP is a highly complex platform and implementing it successfully speaks to the skills of the authors of RedDriver. To understand the WFP, we recommend referring to the Microsoft documentation on the subject.To reroute the browser traffic, RedDriver must first register what is referred to as a “callout” using the function “FwpsCalloutRegister1.” To change the IP address to localhost, RedDriver must acquire a handle to the target network traffic using “FwpsAcquireClassifyHandle0” and then pass the handle to “FwpsAcquireWritableLayerDataPointer0.”Acquiring network traffic to write to.Once the appropriate data is acquired, it can perform the necessary alterations to the IP address, thereby rerouting the traffic to localhost.Applying the IP changes to network traffic.An older example of RedDriverDuring our research into RedDriver, we discovered an earlier version that appears to have been active since at least 2021. While there are differences between the versions, the overall functionality and structure is similar. However, in one instance of an earlier version, RedDriver contained a list of names belonging to dozens of drivers, many of which pertained to software that is Chinese in origin. The drivers in this list appear to be focused on software that would be used in internet cafes, as many of the names belong to internet cafe management software, graphics card drivers and browsers. Below is a non-exhaustive list of some of the names contained within the earlier version of RedDriver:atikmdag.sys — ATI Radeon Kernel Mode Driver Packagefastshutdown.sys — iCafe, Sunward Information Technology Co. Ltdgenfs.sys — Pubwin, Hintsoft (internet cafe software)genvf64.sys — Pubwin, Hintsoft (internet cafe software)genvf.sys — Pubwin, Hintsoft (internet cafe software)Kboot64.sys — Internet Cafe Butler (网吧管家)nv4_mini.sys — Nvidia, RIVA TNTqqprotectx64.sys — Tencent QQ (instant messaging)devicepnp64.sys — FaceIt (competitive gaming platform)Tsqbdrv.sys — QQ Browser driver from technology company TencentWithin a function referred to as “AntiMinifilterThread” in the debug strings, this version of RedDriver checks for the existence of these drivers using the Windows API function “FltEnumerateFilters,” which returns a pointer to the FLT_FILTER structure containing the list of enumerated drivers. At offset 0x1a8 within this structure is the FLT_OPERATION_REGISTRATION structure, which contains the information that RedDriver needs to verify the filter drivers existence.RedDriver utilizing HookSignTool to bypass signature enforcementTo bypass the driver signature enforcement in Windows, RedDriver makes use of HookSignTool, an open-source signature timestamp forging tool. To understand the context of this tool in relation to RedDriver we recommend reading our previous blog on the use of this tool. Several different code-s

Indicators of Compromise

• hash_sha256 — 5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e
• hash_sha256 — 9e59eba805c361820d39273337de070efaf2bf804c6ea88bbafc5f63ce3028b1
• hash_sha256 — c96320c7b57adf6f73ceaf2ae68f1661c2bfab9d96ffd820e3cfc191fcdf0a9b
• malware — RedDriver

Entities