87593c63-9e3e-4d09-aa47-94bca0783396

reddriver.sys :inline :inline

Description

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver has been active since at least 2021. RedDriver utilizes HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies. Code from multiple open-source tools has been used in the development of RedDriver's infection chain, including HP-Socket and a custom implementation of ReflectiveLoader. The authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows operating system. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves.

  • UUID: 87593c63-9e3e-4d09-aa47-94bca0783396
  • Created: 2023-07-12
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create reddriver.sys binPath=C:\windows\temp\reddriver.sys type=kernel && sc.exe start reddriver.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://blog.talosintelligence.com/undocumented-reddriver/

  • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2023-04-09 19:09:40
    MD5cd2c641788d5d125c316ed739c69bb59
    SHA186e6669dbbce8228e94b2a9f86efdf528f0714fd
    SHA25682b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9
    Authentihash MD583a03ceabf6f3e51d5f5016cbea4759d
    Authentihash SHA1e341a86e685c120f023bc2f313e220a6934f8767
    Authentihash SHA2567aa067d928404795b4eb9c169639f23997227504ca4eb7b5b21518e6155abd47
    RichPEHeaderHash MD53e8b77121573e70b98f26828a7ec2cc0
    RichPEHeaderHash SHA193e009f2ef2ebc8e6f91afb0407312e379d114c1
    RichPEHeaderHash SHA2566c46fc6908d6505c93eae0f2e772f203724356a3d89ae8b31d9060ee718ea32f

    Download

    Certificates

    Expand
    Certificate 71a0b73695ddb1afc23b2b9a18ee54cb
    FieldValue
    ToBeSigned (TBS) MD58314595952398203ab24badbbc927d39
    ToBeSigned (TBS) SHA1b07dcf73133408eee2786a208ce4b2543bf6c583
    ToBeSigned (TBS) SHA256c734685d985b8ea13db4fc1a6dcd26aa0dde78b4c3b651ea5d58e32e081b2a41
    SubjectC=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA
    ValidFrom2013-12-10 00:00:00
    ValidTo2023-12-09 23:59:59
    Signature243bf5d7a03613c743fef0098768d198316e12e43f1e1f967b6b4c1e879e8bc56ca3b10c7b5092d5819cb18f2c29b7eef99105b98e41f12cf6d0592d98e0b9ea8001474095b83d9d03bd79bb35b6ad9c4c27f6674510c9c5bc874e557bd287bbdddc30efc6d46ccc99356d1ce060d3cd688f29594b89960846c98efc754fc5dc09cc4e278b44cd07bcac04e0b533a5879ff4dd730c91ea12816fe375f01eb5936c4417d53e97c9bd072c56771f85dd46e8bfde2c8194a3f7e5b7a7c1379f75ca55774d5e3629ca85d84541725775c0795bfa3410066d642042b73ac81f1d4664025fc647bef0c43a2854daf61e4f9aa21943a46f49f8fc5e422028848b47206e
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber71a0b73695ddb1afc23b2b9a18ee54cb
    Version3
    Certificate 0dbdf488aeaa9795e332a1ca2747af0d
    FieldValue
    ToBeSigned (TBS) MD55037c865c427f7d514ac954ef7e66ccf
    ToBeSigned (TBS) SHA1cfcc3ebb5c9003e88373beb66781dbdf9e1904d2
    ToBeSigned (TBS) SHA256cd684ad96d510b669c0767e4b845fb7a04fba27c1f3a0935b09a988d94938f6e
    SubjectC=CN, L=, O=, OU=, CN=
    ValidFrom2018-08-15 00:00:00
    ValidTo2019-08-15 23:59:59
    Signature3ebdf2009f802c1033d2a14df88ed84c6282db1e8d19d6324b21ffb8e69fbc0752d101bd22ab4fae6c8c45bb82b7ba0d9a7213d7a29a2f587bdf68c7ae3ab6f9ed7cc23e27d6f44a0a5311124381f6f9bdeec2e19c59fc7362d5d59f09951b8ffa03215e5679ae4bcffe45b7059426a96c2897107c07b2b3e6cbcbee46527908db76f7a1bf2af19c986eba31504c9c5c3cb34e81ba2a1eb55965a2d192820cac79f640a3e9672bb507dc3a561de5d94f9a0105a355f42bea235ea5349d7d2b104a71c56640e0170433fe1ef075d9f865f17be8989b590765917215c0f7b709e9820f7106dff8cec57d59ee2777cec96f8b1de8e3a93bc7e7b757d87c9888b9a2
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0dbdf488aeaa9795e332a1ca2747af0d
    Version3
    Certificate 611fb0a400000000001d
    FieldValue
    ToBeSigned (TBS) MD5a3f222107d4e1085e73b5b589c2f480b
    ToBeSigned (TBS) SHA1b94aa26cd77c48d91a53ac44506cbd255e1d362c
    ToBeSigned (TBS) SHA256a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa
    SubjectC=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA
    ValidFrom2011-02-22 19:31:57
    ValidTo2021-02-22 19:41:57
    Signature2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611fb0a400000000001d
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • RtlCompareMemory
    • ExAllocatePool
    • ExFreePoolWithTag
    • CmRegisterCallback
    • PsCreateSystemThread
    • ZwClose
    • MmIsAddressValid
    • PsSetCreateProcessNotifyRoutine
    • PsSetCreateThreadNotifyRoutine
    • PsSetLoadImageNotifyRoutine
    • __C_specific_handler
    • RtlInitUnicodeString
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • ObfDereferenceObject
    • PsGetCurrentProcessId
    • ZwOpenProcess
    • PsLookupProcessByProcessId
    • ZwWaitForSingleObject
    • PsReferenceProcessFilePointer
    • RtlCompareUnicodeStrings
    • KeEnterCriticalRegion
    • KeLeaveCriticalRegion
    • KeWaitForSingleObject
    • ExQueryDepthSList
    • ExpInterlockedPopEntrySList
    • ExpInterlockedPushEntrySList
    • ExInitializeNPagedLookasideList
    • ExInitializeResourceLite
    • ExAcquireResourceSharedLite
    • ExAcquireResourceExclusiveLite
    • ExReleaseResourceLite
    • PsTerminateSystemThread
    • ObReferenceObjectByHandle
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • PsGetProcessWow64Process
    • PsGetProcessImageFileName
    • ZwCreateFile
    • ZwQueryInformationFile
    • ZwReadFile
    • ExAllocatePoolWithTag
    • MmGetSystemRoutineAddress
    • IoGetCurrentProcess
    • PsGetProcessId
    • PsProcessType
    • PsGetProcessPeb
    • RtlInitAnsiString
    • RtlAnsiStringToUnicodeString
    • RtlFreeUnicodeString
    • _vsnprintf
    • _vsnwprintf
    • RtlGetVersion
    • KeInitializeEvent
    • KeQueryTimeIncrement
    • RtlRandomEx
    • ZwSetInformationFile
    • ZwWriteFile
    • IoFileObjectType
    • ZwTerminateProcess
    • KeBugCheckEx
    • RtlCopyUnicodeString
    • _wcslwr
    • wcsstr
    • ExSystemTimeToLocalTime
    • RtlTimeToTimeFields
    • WdfVersionBindClass
    • WdfVersionBind
    • WdfVersionUnbind
    • WdfVersionUnbindClass

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • .gfids
    • INIT
    • .reloc

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "71a0b73695ddb1afc23b2b9a18ee54cb",
          "Signature": "243bf5d7a03613c743fef0098768d198316e12e43f1e1f967b6b4c1e879e8bc56ca3b10c7b5092d5819cb18f2c29b7eef99105b98e41f12cf6d0592d98e0b9ea8001474095b83d9d03bd79bb35b6ad9c4c27f6674510c9c5bc874e557bd287bbdddc30efc6d46ccc99356d1ce060d3cd688f29594b89960846c98efc754fc5dc09cc4e278b44cd07bcac04e0b533a5879ff4dd730c91ea12816fe375f01eb5936c4417d53e97c9bd072c56771f85dd46e8bfde2c8194a3f7e5b7a7c1379f75ca55774d5e3629ca85d84541725775c0795bfa3410066d642042b73ac81f1d4664025fc647bef0c43a2854daf61e4f9aa21943a46f49f8fc5e422028848b47206e",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
          "Subject": "C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA",
          "TBS": {
            "MD5": "8314595952398203ab24badbbc927d39",
            "SHA1": "b07dcf73133408eee2786a208ce4b2543bf6c583",
            "SHA256": "c734685d985b8ea13db4fc1a6dcd26aa0dde78b4c3b651ea5d58e32e081b2a41",
            "SHA384": "874ded773c743b4e18744d7978b41cfe2e55529c61d45a0e34b3950aaad56b6c7a3780880133bcd1df3b1f86d468d46d"
          },
          "ValidFrom": "2013-12-10 00:00:00",
          "ValidTo": "2023-12-09 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "0dbdf488aeaa9795e332a1ca2747af0d",
          "Signature": "3ebdf2009f802c1033d2a14df88ed84c6282db1e8d19d6324b21ffb8e69fbc0752d101bd22ab4fae6c8c45bb82b7ba0d9a7213d7a29a2f587bdf68c7ae3ab6f9ed7cc23e27d6f44a0a5311124381f6f9bdeec2e19c59fc7362d5d59f09951b8ffa03215e5679ae4bcffe45b7059426a96c2897107c07b2b3e6cbcbee46527908db76f7a1bf2af19c986eba31504c9c5c3cb34e81ba2a1eb55965a2d192820cac79f640a3e9672bb507dc3a561de5d94f9a0105a355f42bea235ea5349d7d2b104a71c56640e0170433fe1ef075d9f865f17be8989b590765917215c0f7b709e9820f7106dff8cec57d59ee2777cec96f8b1de8e3a93bc7e7b757d87c9888b9a2",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
          "Subject": "C=CN, L=, O=, OU=, CN=",
          "TBS": {
            "MD5": "5037c865c427f7d514ac954ef7e66ccf",
            "SHA1": "cfcc3ebb5c9003e88373beb66781dbdf9e1904d2",
            "SHA256": "cd684ad96d510b669c0767e4b845fb7a04fba27c1f3a0935b09a988d94938f6e",
            "SHA384": "30bf56d04a2a54ae834ea9b111da02fe53c0c13ddd66f815aed8100bb887c6d5b299e518ba1f4abc0f2c3bb02029141b"
          },
          "ValidFrom": "2018-08-15 00:00:00",
          "ValidTo": "2019-08-15 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "611fb0a400000000001d",
          "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA",
          "TBS": {
            "MD5": "a3f222107d4e1085e73b5b589c2f480b",
            "SHA1": "b94aa26cd77c48d91a53ac44506cbd255e1d362c",
            "SHA256": "a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa",
            "SHA384": "64b7643e4146016cbf83c911eb67e4601b6bb8d66f8ee8dcee67b815f91770d86ab23678b984430f22a963e5484881b7"
          },
          "ValidFrom": "2011-02-22 19:31:57",
          "ValidTo": "2021-02-22 19:41:57",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA",
          "SerialNumber": "0dbdf488aeaa9795e332a1ca2747af0d",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2024-09-26