18a842be-681a-4f32-97fd-57cb72ff5f3a

NlsLexicons0024UvN.sys :inline :inline

Description

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver has been active since at least 2021. RedDriver utilizes HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies. Code from multiple open-source tools has been used in the development of RedDriver's infection chain, including HP-Socket and a custom implementation of ReflectiveLoader. The authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows operating system. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves.

  • UUID: 18a842be-681a-4f32-97fd-57cb72ff5f3a
  • Created: 2023-07-12
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create NlsLexicons0024UvN.sys binPath=C:\windows\temp\NlsLexicons0024UvN.sys type=kernel && sc.exe start NlsLexicons0024UvN.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://blog.talosintelligence.com/undocumented-reddriver/

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2023-04-28 00:10:45
    MD5bd91787b5dcb2189b856804e85dfa1d9
    SHA1675cc00de7c1ef508ccd0c91770c82342c0ad4ab
    SHA2567a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d
    Authentihash MD53dcdfa017206720c83d41ef7ed63fac6
    Authentihash SHA1beae75723cef4aa97e6d0021838405802ead468a
    Authentihash SHA2566ce1073705194870175a8b9c9ebbbb7ad54df81849b111588ea8aeef910da987
    RichPEHeaderHash MD5ceb1860de56dcebdf714302cb649ff71
    RichPEHeaderHash SHA1a03c600569d3c813667c3520788e423f1c5eed0f
    RichPEHeaderHash SHA25639e0e1bb3f0a24fd42b1e55d492f5b87a926d6689b172c3475e1898f737be750

    Download

    Certificates

    Expand
    Certificate 2ac01de88063badb080008853fdd8c6c
    FieldValue
    ToBeSigned (TBS) MD5bac0d95b77a36eed50d84415420e56bd
    ToBeSigned (TBS) SHA1c107a2a8939e3ff203847e4ba576c7e3767c063a
    ToBeSigned (TBS) SHA2567f648cc593ad1a699a8d5a5c972bf1cce89bf3dfd83a67f46de3230c61429fe2
    SubjectC=CN, ST=, L=, O=, CN=
    ValidFrom2015-04-02 00:00:00
    ValidTo2016-05-01 23:59:59
    Signature9331a576a43dc4e3a4132367b220e74c25851759c04d2db3b42beadbbd370c57aa3990faf580df88d99f8a5ac7836940ebce2b68b7b6b4e804e51b663a10d705b1dc5bc621a7b36ce633ae37e603fb0ae46d0fdaa1bf5ceb7d3262de99aaddeacd2672567bf55dda8e4b839cc1bc772574f0c6808763418a3cf63f596ef1ec038f05a2eab3c476b167fff75d6320069352409f4768f73c3af2b6438ab5279f511e1f8ebd3bed90a81c87338af839a538cb15f4b49de377c039847517a334f72130a8e4b7085a65ebe32cbdda528524dbdd27f74f4e75ff427d7bf40807faff55adcf287fc6aa06d10863511de08a00a546367efa0faeed0c587582d566f798db
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber2ac01de88063badb080008853fdd8c6c
    Version3
    Certificate 611993e400000000001c
    FieldValue
    ToBeSigned (TBS) MD578a717e082dcc1cda3458d917e677d14
    ToBeSigned (TBS) SHA14a872e0e51f9b304469cd1dedb496ee9b8b983a4
    ToBeSigned (TBS) SHA256317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5
    ValidFrom2011-02-22 19:25:17
    ValidTo2021-02-22 19:35:17
    Signature812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611993e400000000001c
    Version3
    Certificate 5200e5aa2556fc1a86ed96c9d44b33c7
    FieldValue
    ToBeSigned (TBS) MD5b30c31a572b0409383ed3fbe17e56e81
    ToBeSigned (TBS) SHA14843a82ed3b1f2bfbee9671960e1940c942f688d
    ToBeSigned (TBS) SHA25603cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber5200e5aa2556fc1a86ed96c9d44b33c7
    Version3

    Imports

    Expand
    • fwpkclnt.sys
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • FwpsReleaseClassifyHandle0
    • FwpsAcquireClassifyHandle0
    • FwpsApplyModifiedLayerData0
    • FwpsAcquireWritableLayerDataPointer0
    • FwpsCalloutRegister1
    • RtlCompareMemory
    • ExAllocatePool
    • ExFreePoolWithTag
    • CmRegisterCallback
    • PsCreateSystemThread
    • ZwClose
    • MmIsAddressValid
    • PsSetCreateProcessNotifyRoutine
    • PsSetCreateThreadNotifyRoutine
    • PsSetLoadImageNotifyRoutine
    • __C_specific_handler
    • RtlInitUnicodeString
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • ObfDereferenceObject
    • PsGetCurrentProcessId
    • ZwOpenProcess
    • PsLookupProcessByProcessId
    • ZwWaitForSingleObject
    • PsReferenceProcessFilePointer
    • RtlCompareUnicodeStrings
    • KeEnterCriticalRegion
    • KeLeaveCriticalRegion
    • KeWaitForSingleObject
    • ExQueryDepthSList
    • ExpInterlockedPopEntrySList
    • ExpInterlockedPushEntrySList
    • ExInitializeNPagedLookasideList
    • ExInitializeResourceLite
    • ExAcquireResourceSharedLite
    • ExAcquireResourceExclusiveLite
    • ExReleaseResourceLite
    • PsTerminateSystemThread
    • ObReferenceObjectByHandle
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • PsGetProcessWow64Process
    • PsGetProcessImageFileName
    • ZwCreateFile
    • ZwQueryInformationFile
    • ZwReadFile
    • ExAllocatePoolWithTag
    • MmGetSystemRoutineAddress
    • KeAcquireInStackQueuedSpinLock
    • KeReleaseInStackQueuedSpinLock
    • RtlIpv4AddressToStringA
    • IoGetCurrentProcess
    • PsGetProcessId
    • PsProcessType
    • PsGetProcessPeb
    • RtlInitAnsiString
    • RtlAnsiStringToUnicodeString
    • RtlFreeUnicodeString
    • _vsnprintf
    • _vsnwprintf
    • RtlGetVersion
    • KeInitializeEvent
    • KeQueryTimeIncrement
    • RtlRandomEx
    • ZwSetInformationFile
    • ZwWriteFile
    • IoFileObjectType
    • ZwTerminateProcess
    • RtlCopyUnicodeString
    • KeBugCheckEx
    • _wcslwr
    • wcsstr
    • ExSystemTimeToLocalTime
    • RtlTimeToTimeFields
    • WdfVersionBind
    • WdfVersionBindClass
    • WdfVersionUnbindClass
    • WdfVersionUnbind

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • .gfids
    • INIT
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "2ac01de88063badb080008853fdd8c6c",
      "Signature": "9331a576a43dc4e3a4132367b220e74c25851759c04d2db3b42beadbbd370c57aa3990faf580df88d99f8a5ac7836940ebce2b68b7b6b4e804e51b663a10d705b1dc5bc621a7b36ce633ae37e603fb0ae46d0fdaa1bf5ceb7d3262de99aaddeacd2672567bf55dda8e4b839cc1bc772574f0c6808763418a3cf63f596ef1ec038f05a2eab3c476b167fff75d6320069352409f4768f73c3af2b6438ab5279f511e1f8ebd3bed90a81c87338af839a538cb15f4b49de377c039847517a334f72130a8e4b7085a65ebe32cbdda528524dbdd27f74f4e75ff427d7bf40807faff55adcf287fc6aa06d10863511de08a00a546367efa0faeed0c587582d566f798db",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=CN, ST=, L=, O=, CN=",
      "TBS": {
        "MD5": "bac0d95b77a36eed50d84415420e56bd",
        "SHA1": "c107a2a8939e3ff203847e4ba576c7e3767c063a",
        "SHA256": "7f648cc593ad1a699a8d5a5c972bf1cce89bf3dfd83a67f46de3230c61429fe2",
        "SHA384": "8dbc1e5b1a805710fae35f16ba814f64758a8d683d1af74ce98ab5cf3a52daaa20ea783eb48d2dac3ba519eaad70ce9b"
      },
      "ValidFrom": "2015-04-02 00:00:00",
      "ValidTo": "2016-05-01 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "611993e400000000001c",
      "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5",
      "TBS": {
        "MD5": "78a717e082dcc1cda3458d917e677d14",
        "SHA1": "4a872e0e51f9b304469cd1dedb496ee9b8b983a4",
        "SHA256": "317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8",
        "SHA384": "b71052da4eb9157c8c1a5d7f55df19d69b9128598b72fcca608e5b7cc7d64c43c5504b9c86355a6dc22ee40c88cc385c"
      },
      "ValidFrom": "2011-02-22 19:25:17",
      "ValidTo": "2021-02-22 19:35:17",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "5200e5aa2556fc1a86ed96c9d44b33c7",
      "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
      "TBS": {
        "MD5": "b30c31a572b0409383ed3fbe17e56e81",
        "SHA1": "4843a82ed3b1f2bfbee9671960e1940c942f688d",
        "SHA256": "03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9",
        "SHA384": "bbda8407c4f9fc4e54d772f1c7fb9d30bc97e1f97ecd51c443063d1fa0644e266328781776cd5c44896c457c75f4d7da"
      },
      "ValidFrom": "2010-02-08 00:00:00",
      "ValidTo": "2020-02-07 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
      "SerialNumber": "2ac01de88063badb080008853fdd8c6c",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-09-26