0d039ee9-aaa5-49c2-a980-405d4290ee0a

telephonuAfY.sys :inline :inline

Description

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver has been active since at least 2021. RedDriver utilizes HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies. Code from multiple open-source tools has been used in the development of RedDriver's infection chain, including HP-Socket and a custom implementation of ReflectiveLoader. The authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows operating system. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves.

  • UUID: 0d039ee9-aaa5-49c2-a980-405d4290ee0a
  • Created: 2023-07-11
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create telephonuAfY.sys binPath=C:\windows\temp\telephonuAfY.sys type=kernel && sc.exe start telephonuAfY.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://blog.talosintelligence.com/undocumented-reddriver/

    • Known Vulnerable Samples

    PropertyValue
    FilenametelephonuAfY.sys
    Creation Timestamp2023-05-23 01:23:25
    MD55aeab9427d85951def146b4c0a44fc63
    SHA1c9e9198d52d94771cb14711a5f6aaf8d82b602a2
    SHA25687565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105
    Authentihash MD543b75d04464038f6a49bdbe6b1e8b622
    Authentihash SHA123373cbe45710492834ef1ed7a968de14985df8f
    Authentihash SHA256f929b77636026cc0c57a0bd95e4c61f0b28a65e60331807e32235947f5c67931
    RichPEHeaderHash MD5ceb1860de56dcebdf714302cb649ff71
    RichPEHeaderHash SHA1a03c600569d3c813667c3520788e423f1c5eed0f
    RichPEHeaderHash SHA25639e0e1bb3f0a24fd42b1e55d492f5b87a926d6689b172c3475e1898f737be750

    Download

    Certificates

    Expand
    Certificate 71a0b73695ddb1afc23b2b9a18ee54cb
    FieldValue
    ToBeSigned (TBS) MD58314595952398203ab24badbbc927d39
    ToBeSigned (TBS) SHA1b07dcf73133408eee2786a208ce4b2543bf6c583
    ToBeSigned (TBS) SHA256c734685d985b8ea13db4fc1a6dcd26aa0dde78b4c3b651ea5d58e32e081b2a41
    SubjectC=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA
    ValidFrom2013-12-10 00:00:00
    ValidTo2023-12-09 23:59:59
    Signature243bf5d7a03613c743fef0098768d198316e12e43f1e1f967b6b4c1e879e8bc56ca3b10c7b5092d5819cb18f2c29b7eef99105b98e41f12cf6d0592d98e0b9ea8001474095b83d9d03bd79bb35b6ad9c4c27f6674510c9c5bc874e557bd287bbdddc30efc6d46ccc99356d1ce060d3cd688f29594b89960846c98efc754fc5dc09cc4e278b44cd07bcac04e0b533a5879ff4dd730c91ea12816fe375f01eb5936c4417d53e97c9bd072c56771f85dd46e8bfde2c8194a3f7e5b7a7c1379f75ca55774d5e3629ca85d84541725775c0795bfa3410066d642042b73ac81f1d4664025fc647bef0c43a2854daf61e4f9aa21943a46f49f8fc5e422028848b47206e
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber71a0b73695ddb1afc23b2b9a18ee54cb
    Version3
    Certificate 0dbdf488aeaa9795e332a1ca2747af0d
    FieldValue
    ToBeSigned (TBS) MD55037c865c427f7d514ac954ef7e66ccf
    ToBeSigned (TBS) SHA1cfcc3ebb5c9003e88373beb66781dbdf9e1904d2
    ToBeSigned (TBS) SHA256cd684ad96d510b669c0767e4b845fb7a04fba27c1f3a0935b09a988d94938f6e
    SubjectC=CN, L=, O=, OU=, CN=
    ValidFrom2018-08-15 00:00:00
    ValidTo2019-08-15 23:59:59
    Signature3ebdf2009f802c1033d2a14df88ed84c6282db1e8d19d6324b21ffb8e69fbc0752d101bd22ab4fae6c8c45bb82b7ba0d9a7213d7a29a2f587bdf68c7ae3ab6f9ed7cc23e27d6f44a0a5311124381f6f9bdeec2e19c59fc7362d5d59f09951b8ffa03215e5679ae4bcffe45b7059426a96c2897107c07b2b3e6cbcbee46527908db76f7a1bf2af19c986eba31504c9c5c3cb34e81ba2a1eb55965a2d192820cac79f640a3e9672bb507dc3a561de5d94f9a0105a355f42bea235ea5349d7d2b104a71c56640e0170433fe1ef075d9f865f17be8989b590765917215c0f7b709e9820f7106dff8cec57d59ee2777cec96f8b1de8e3a93bc7e7b757d87c9888b9a2
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0dbdf488aeaa9795e332a1ca2747af0d
    Version3
    Certificate 611fb0a400000000001d
    FieldValue
    ToBeSigned (TBS) MD5a3f222107d4e1085e73b5b589c2f480b
    ToBeSigned (TBS) SHA1b94aa26cd77c48d91a53ac44506cbd255e1d362c
    ToBeSigned (TBS) SHA256a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa
    SubjectC=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA
    ValidFrom2011-02-22 19:31:57
    ValidTo2021-02-22 19:41:57
    Signature2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611fb0a400000000001d
    Version3

    Imports

    Expand
    • fwpkclnt.sys
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • FwpsReleaseClassifyHandle0
    • FwpsAcquireClassifyHandle0
    • FwpsApplyModifiedLayerData0
    • FwpsAcquireWritableLayerDataPointer0
    • FwpsCalloutRegister1
    • RtlCompareMemory
    • ExAllocatePool
    • ExFreePoolWithTag
    • CmRegisterCallback
    • PsCreateSystemThread
    • ZwClose
    • MmIsAddressValid
    • PsSetCreateProcessNotifyRoutine
    • PsSetCreateThreadNotifyRoutine
    • PsSetLoadImageNotifyRoutine
    • __C_specific_handler
    • RtlInitUnicodeString
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • ObfDereferenceObject
    • PsGetCurrentProcessId
    • ZwOpenProcess
    • PsLookupProcessByProcessId
    • ZwWaitForSingleObject
    • PsReferenceProcessFilePointer
    • RtlCompareUnicodeStrings
    • KeEnterCriticalRegion
    • KeLeaveCriticalRegion
    • KeWaitForSingleObject
    • ExQueryDepthSList
    • ExpInterlockedPopEntrySList
    • ExpInterlockedPushEntrySList
    • ExInitializeNPagedLookasideList
    • ExInitializeResourceLite
    • ExAcquireResourceSharedLite
    • ExAcquireResourceExclusiveLite
    • ExReleaseResourceLite
    • PsTerminateSystemThread
    • ObReferenceObjectByHandle
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • PsGetProcessWow64Process
    • PsGetProcessImageFileName
    • ZwCreateFile
    • ZwQueryInformationFile
    • ZwReadFile
    • ExAllocatePoolWithTag
    • MmGetSystemRoutineAddress
    • KeAcquireInStackQueuedSpinLock
    • KeReleaseInStackQueuedSpinLock
    • RtlIpv4AddressToStringA
    • IoGetCurrentProcess
    • PsGetProcessId
    • PsProcessType
    • PsGetProcessPeb
    • RtlInitAnsiString
    • RtlAnsiStringToUnicodeString
    • RtlFreeUnicodeString
    • _vsnprintf
    • _vsnwprintf
    • RtlGetVersion
    • KeInitializeEvent
    • KeQueryTimeIncrement
    • RtlRandomEx
    • ZwSetInformationFile
    • ZwWriteFile
    • IoFileObjectType
    • ZwTerminateProcess
    • RtlCopyUnicodeString
    • KeBugCheckEx
    • _wcslwr
    • wcsstr
    • ExSystemTimeToLocalTime
    • RtlTimeToTimeFields
    • WdfVersionBind
    • WdfVersionBindClass
    • WdfVersionUnbindClass
    • WdfVersionUnbind

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • .gfids
    • INIT
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "71a0b73695ddb1afc23b2b9a18ee54cb",
      "Signature": "243bf5d7a03613c743fef0098768d198316e12e43f1e1f967b6b4c1e879e8bc56ca3b10c7b5092d5819cb18f2c29b7eef99105b98e41f12cf6d0592d98e0b9ea8001474095b83d9d03bd79bb35b6ad9c4c27f6674510c9c5bc874e557bd287bbdddc30efc6d46ccc99356d1ce060d3cd688f29594b89960846c98efc754fc5dc09cc4e278b44cd07bcac04e0b533a5879ff4dd730c91ea12816fe375f01eb5936c4417d53e97c9bd072c56771f85dd46e8bfde2c8194a3f7e5b7a7c1379f75ca55774d5e3629ca85d84541725775c0795bfa3410066d642042b73ac81f1d4664025fc647bef0c43a2854daf61e4f9aa21943a46f49f8fc5e422028848b47206e",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA",
      "TBS": {
        "MD5": "8314595952398203ab24badbbc927d39",
        "SHA1": "b07dcf73133408eee2786a208ce4b2543bf6c583",
        "SHA256": "c734685d985b8ea13db4fc1a6dcd26aa0dde78b4c3b651ea5d58e32e081b2a41",
        "SHA384": "874ded773c743b4e18744d7978b41cfe2e55529c61d45a0e34b3950aaad56b6c7a3780880133bcd1df3b1f86d468d46d"
      },
      "ValidFrom": "2013-12-10 00:00:00",
      "ValidTo": "2023-12-09 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0dbdf488aeaa9795e332a1ca2747af0d",
      "Signature": "3ebdf2009f802c1033d2a14df88ed84c6282db1e8d19d6324b21ffb8e69fbc0752d101bd22ab4fae6c8c45bb82b7ba0d9a7213d7a29a2f587bdf68c7ae3ab6f9ed7cc23e27d6f44a0a5311124381f6f9bdeec2e19c59fc7362d5d59f09951b8ffa03215e5679ae4bcffe45b7059426a96c2897107c07b2b3e6cbcbee46527908db76f7a1bf2af19c986eba31504c9c5c3cb34e81ba2a1eb55965a2d192820cac79f640a3e9672bb507dc3a561de5d94f9a0105a355f42bea235ea5349d7d2b104a71c56640e0170433fe1ef075d9f865f17be8989b590765917215c0f7b709e9820f7106dff8cec57d59ee2777cec96f8b1de8e3a93bc7e7b757d87c9888b9a2",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=CN, L=, O=, OU=, CN=",
      "TBS": {
        "MD5": "5037c865c427f7d514ac954ef7e66ccf",
        "SHA1": "cfcc3ebb5c9003e88373beb66781dbdf9e1904d2",
        "SHA256": "cd684ad96d510b669c0767e4b845fb7a04fba27c1f3a0935b09a988d94938f6e",
        "SHA384": "30bf56d04a2a54ae834ea9b111da02fe53c0c13ddd66f815aed8100bb887c6d5b299e518ba1f4abc0f2c3bb02029141b"
      },
      "ValidFrom": "2018-08-15 00:00:00",
      "ValidTo": "2019-08-15 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "611fb0a400000000001d",
      "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA",
      "TBS": {
        "MD5": "a3f222107d4e1085e73b5b589c2f480b",
        "SHA1": "b94aa26cd77c48d91a53ac44506cbd255e1d362c",
        "SHA256": "a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa",
        "SHA384": "64b7643e4146016cbf83c911eb67e4601b6bb8d66f8ee8dcee67b815f91770d86ab23678b984430f22a963e5484881b7"
      },
      "ValidFrom": "2011-02-22 19:31:57",
      "ValidTo": "2021-02-22 19:41:57",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA",
      "SerialNumber": "0dbdf488aeaa9795e332a1ca2747af0d",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-09-26