- Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver has been active since at least 2021.
- RedDriver utilizes HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies.
- Code from multiple open-source tools has been used in the development of RedDriver's infection chain, including HP-Socket and a custom implementation of ReflectiveLoader.
- The authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows operating system.
- This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves.
RedDriver targets Chinese-speaking users
There are clear indications that the intended victims of this threat are native Chinese speakers. Firstly, the driver contains a hardcoded list of Chinese language browser process names, which are searched for and hijacked. Additionally, in one instance RedDriver contained a list of driver names, many of which were related to multiple Chinese language internet cafe management software products. There are also many indications that the authors of RedDriver are native Chinese speakers themselves.
Multi-stage infection chain leads to RedDriver
RedDriver’s infection chain begins with a single executable packed with Ultimate Packer for eXecutables (UPX), named “DnfClientShell32.exe.” The resource section of the DnfClientShell32 binary contains two DLLs, one named “DnfClient” and another, aptly named “ReflectiveLoader32.”
- DnfClientShell32 - 5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e
- DnfClient - 9e59eba805c361820d39273337de070efaf2bf804c6ea88bbafc5f63ce3028b1
- ReflectiveLoader32 - c96320c7b57adf6f73ceaf2ae68f1661c2bfab9d96ffd820e3cfc191fcdf0a9b
The filename “DnfClient” is likely used to masquerade as an identically named executable from a game called “Dungeon Fighter Online,” also referred to as “DNF.” The Dungeon Fighter games are immensely popular in China.
Once executed, DnfClientShell32 uses the ReflectiveLoader32 binary in its resource section to inject the DnfClient resource into a remote process. After the injection process is completed, DnfClient begins encrypted communications with the command and control (C2) infrastructure to initiate the download of the RedDriver payload. DnfClient then opens a listening port to receive redirected browser traffic from RedDriver. To facilitate network communications, DnfClient utilizes code from the open-source library HP-Socket.
During our research into HookSignTool, Cisco Talos observed the deployment of an undocumented malicious driver utilizing stolen certificates to forge signature timestamps, effectively bypassing driver signature enforcement policies within Windows. Its name originates from the string “RedDriver” which is contained within the binary and the file name in its PDB file path: "E:\\Project\\PTU\\PTU\\Bin\\x64\\Release\\RedDriver.pdb”.
RedDriver is a critical component of a multi-stage infection chain that ultimately hijacks browser traffic and redirects it to localhost (127.0.0.1). The target browser is chosen from a hardcoded list containing the process names of many popular Chinese language browsers as well as Google Chrome and Microsoft Edge.
RedDriver imports several functions from FWPKCLNT.sys, a component of the Windows Filtering Platform:
“Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for creating network filtering applications. The WFP API allows developers to write code that interacts with the packet processing that takes place at several layers in the networking stack of the operating system. Network data can be filtered and also modified before it reaches its destination,” from Microsoft MSDN.
Using these imported functions, RedDriver redirects traffic from the hijacked browser and replaces the destination IP address with 127.0.0.1, thereby redirecting it to the listening port DnfClient opens. A root certificate is also silently installed on the target system without user interaction, as made evident by the registry entry that is added:“MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\9743EE39882EFD63036E6EAD3AFFD6D765628161”
As of publication time, the end goal of this browser traffic redirection is unclear. However, regardless of intent, this is a significant threat to any system infected with RedDriver, as this allows all traffic through the browser to be tampered with.
While describing the technical aspects of the WFP is outside the scope of this blog post, it is important to understand that these functions allow RedDriver to manipulate browser traffic at the packet level. WFP is a highly complex platform and implementing it successfully speaks to the skills of the authors of RedDriver. To understand the WFP, we recommend referring to the Microsoft documentation on the subject.
To reroute the browser traffic, RedDriver must first register what is referred to as a “callout” using the function “FwpsCalloutRegister1.” To change the IP address to localhost, RedDriver must acquire a handle to the target network traffic using “FwpsAcquireClassifyHandle0” and then pass the handle to “FwpsAcquireWritableLayerDataPointer0.”
Once the appropriate data is acquired, it can perform the necessary alterations to the IP address, thereby rerouting the traffic to localhost.
An older example of RedDriver
During our research into RedDriver, we discovered an earlier version that appears to have been active since at least 2021. While there are differences between the versions, the overall functionality and structure is similar. However, in one instance of an earlier version, RedDriver contained a list of names belonging to dozens of drivers, many of which pertained to software that is Chinese in origin. The drivers in this list appear to be focused on software that would be used in internet cafes, as many of the names belong to internet cafe management software, graphics card drivers and browsers. Below is a non-exhaustive list of some of the names contained within the earlier version of RedDriver:
- atikmdag.sys — ATI Radeon Kernel Mode Driver Package
- fastshutdown.sys — iCafe, Sunward Information Technology Co. Ltd
- genfs.sys — Pubwin, Hintsoft (internet cafe software)
- genvf64.sys — Pubwin, Hintsoft (internet cafe software)
- genvf.sys — Pubwin, Hintsoft (internet cafe software)
- Kboot64.sys — Internet Cafe Butler (网吧管家)
- nv4_mini.sys — Nvidia, RIVA TNT
- qqprotectx64.sys — Tencent QQ (instant messaging)
- devicepnp64.sys — FaceIt (competitive gaming platform)
- Tsqbdrv.sys — QQ Browser driver from technology company Tencent
Within a function referred to as “AntiMinifilterThread” in the debug strings, this version of RedDriver checks for the existence of these drivers using the Windows API function “FltEnumerateFilters,” which returns a pointer to the FLT_FILTER structure containing the list of enumerated drivers. At offset 0x1a8 within this structure is the FLT_OPERATION_REGISTRATION structure, which contains the information that RedDriver needs to verify the filter drivers existence.
RedDriver utilizing HookSignTool to bypass signature enforcement
To bypass the driver signature enforcement in Windows, RedDriver makes use of HookSignTool, an open-source signature timestamp forging tool. To understand the context of this tool in relation to RedDriver we recommend reading our previous blog on the use of this tool. Several different code-signing certificates have been used to sign RedDriver, all of which are covered in the aforementioned blog post. The certificates we observed being used to sign RedDriver are: Beijing JoinHope Image Technology Ltd. and 北京汇聚四海商贸有限公司.
Cisco Secure products now include detections for these certificates and all certificates discussed in our HookSignTool blog post.Talos has notified Microsoft of the abuse of these certificates, which they promptly took action against.
Bypassing the driver signature enforcement policies by using HookSignTool allows a threat actor to deploy drivers that would otherwise be blocked from running. RedDriver is a real-world example of this tool being effectively used in a malicious context. Based on our research regarding HookSignTool, RedDriver is not the only family of malicious driver that is utilizing timestamp-forging tools. It is reasonable to expect that signature timestamp forging will see continued use throughout the threat landscape, as the benefits of deploying malicious drivers may become increasingly attractive to threat actors.
Indications of Chinese-speaking authors
Based on the language codes in the metadata of the binaries within the RedDriver infection chain, and several other factors described below, we assess with high confidence that RedDrivers authors are native Chinese speakers. While the intent behind RedDriver is unclear, it is not unusual for internet cafes in China to be the target of cybercrime groups based in China. In 2018, over 100,000 computers in internet cafes across China were infected with coin miners, generating over $800,000 USD in “siacoin” for the attackers, who colluded with local computer service firms.
The most readily apparent indicator is the geolocation of the C2 infrastructure. All of the domains we observed during our research resolve to IP addresses located in China.
Domains associated with RedDriver:
- poilcy[.]itosha[.]top — 188.8.131.52
- newport[.]tofu77[.]top — 184.108.40.206
- workpoilcy.zhedwe[.]top — 220.127.116.11
- reserve.itosha[.]top — 18.104.22.168
- file[.]zhedwe[.]top — 22.214.171.124
- red[.]zhedwe[.]top — 126.96.36.199
- aireport[.]umpteen[.]top — 188.8.131.52
- q5y2qclsk18[.]malaji[.]top — 184.108.40.206
- laomao[.]run — 220.127.116.11
The RedDriver infection chain utilizes code from multiple open-source tools and code copied from a forum post on a Chinese language forum. An interesting aspect of all of these codebases is that their authors all appear to be native Chinese speakers, as well.
Aside from open-source repositories, we located a section of code within the initial binary that drops RedDriver (DnfClientShell32.exe) that was originally posted on bbs[.]kanxue[.]com, a Chinese language forum. The user who posted the code to the forum states that they have re-interpreted the source code of ReflectiveLoader and implemented their own version.
There are clear similarities when comparing sections of the code posted by this user to the disassembly of the reflective loading function at 0x00407ca0 in the unpacked initial binary.
RedDriver authors are skilled at driver development
RedDriver was likely developed by highly skilled threat actors as the learning curve for developing malicious drivers is steep. Writing Windows drivers requires a very specific skill set and deep knowledge of the Windows operating system. For example, drivers are highly prone to crashing. However, during our analysis, we did not encounter any crashes or “blue screens of death” (BSOD), which speaks to the authors’ skill. An incorrectly written driver can cause damage to or crash a system even if no malicious intent is present. Furthermore, WFP is a complex platform to implement and generally requires significant driver development experience to fully understand it.
The authors also demonstrated a familiarity or experience with software development lifecycles, another skill set that requires previous development experience. For example, while developing the infection chain, the authors used Jenkins, a tool commonly used by software developers to automate the development, building and testing of software. “Jenkins'' can be seen In the .PDB file path in the debug section of the DnfClient binary :“C:\Jenkins\workspace\DnfClient\Bin\DnfClientShell32.pdb”.
Another indicator of the development experience of the authors is the use of specific sections of open-source tools. Rather than using the entire codebase of these tools, the authors of RedDriver borrow and integrate sections of the source code in different stages of the infection chain.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
ClamAV detections are available for this threat:
Indicators of Compromise associated with this threat can be found here.