8c2df58f-1e02-4911-ad40-3fa4ed1f4333

ef0e1725aaf0c6c972593f860531a2ea.sys :inline :inline

Description

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver has been active since at least 2021. RedDriver utilizes HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies. Code from multiple open-source tools has been used in the development of RedDriver's infection chain, including HP-Socket and a custom implementation of ReflectiveLoader. The authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows operating system. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves.

  • UUID: 8c2df58f-1e02-4911-ad40-3fa4ed1f4333
  • Created: 2023-07-31
  • Author: Alice Climent-Pommeret
  • Acknowledgement: |

Download

This download link contains the malicious driver!

Commands

sc.exe create ef0e1725aaf0c6c972593f860531a2ea.sys binPath=C:\windows\temp\ef0e1725aaf0c6c972593f860531a2ea.sys type=kernel && sc.exe start ef0e1725aaf0c6c972593f860531a2ea.sys
Use CasePrivilegesOperating System
kernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://blog.talosintelligence.com/undocumented-reddriver/

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2023-06-23 19:41:15
    MD5ef0e1725aaf0c6c972593f860531a2ea
    SHA16abc7979ba044f31884517827afb7b4bdaa0dcc1
    SHA256f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f
    Authentihash MD5b2529d804593b6e7ced9f1d0ae2534a4
    Authentihash SHA1859eabbf126c0f1c7895b45ec5629029a24ec059
    Authentihash SHA2563fb37ecca8742677bd94ef6f6fb195b4baac701525c2140773a6475fa3aa633c
    RichPEHeaderHash MD550a091a32968ef3300f66b6b27458a45
    RichPEHeaderHash SHA18d89bf1282a5af58cb3566accb77398fed0a2634
    RichPEHeaderHash SHA256eb0f5406bd177f3dc8a2adcf37a88cc3881e703f32fa67ff8f9c6cf67b9558d3

    Download

    Certificates

    Expand
    Certificate 0a005d2e2bcd4137168217d8c727747c
    FieldValue
    ToBeSigned (TBS) MD54d213d99215f488050faaa39765656d1
    ToBeSigned (TBS) SHA10308508b5a3fcd330bbf28931f8e1a9c93c3ee69
    ToBeSigned (TBS) SHA256ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2
    SubjectC=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., CN=Beijing JoinHope Image Technology Ltd.
    ValidFrom2014-05-16 00:00:00
    ValidTo2015-05-16 23:59:59
    Signaturee896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber0a005d2e2bcd4137168217d8c727747c
    Version3
    Certificate 611993e400000000001c
    FieldValue
    ToBeSigned (TBS) MD578a717e082dcc1cda3458d917e677d14
    ToBeSigned (TBS) SHA14a872e0e51f9b304469cd1dedb496ee9b8b983a4
    ToBeSigned (TBS) SHA256317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5
    ValidFrom2011-02-22 19:25:17
    ValidTo2021-02-22 19:35:17
    Signature812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611993e400000000001c
    Version3
    Certificate 5200e5aa2556fc1a86ed96c9d44b33c7
    FieldValue
    ToBeSigned (TBS) MD5b30c31a572b0409383ed3fbe17e56e81
    ToBeSigned (TBS) SHA14843a82ed3b1f2bfbee9671960e1940c942f688d
    ToBeSigned (TBS) SHA25603cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber5200e5aa2556fc1a86ed96c9d44b33c7
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • IoRegisterDriverReinitialization
    • RtlInitUnicodeString
    • IoDeleteDevice
    • KeSetEvent
    • KeInitializeEvent
    • PsCreateSystemThread
    • PsTerminateSystemThread
    • ZwClose
    • IofCompleteRequest
    • ObReferenceObjectByHandle
    • KeWaitForSingleObject
    • PsThreadType
    • IoIsWdmVersionAvailable
    • IoCreateSymbolicLink
    • IoCreateDevice
    • ZwReadFile
    • IoCreateFile
    • ZwSetInformationFile
    • ZwCreateFile
    • ZwQueryDirectoryFile
    • ZwDeleteFile
    • ZwOpenFile
    • RtlImageNtHeader
    • ZwQueryInformationFile
    • ZwWriteFile
    • ZwSetValueKey
    • ZwQueryValueKey
    • _vsnprintf
    • ZwFlushKey
    • ZwDeleteKey
    • ZwOpenKey
    • _stricmp
    • ZwCreateKey
    • PsSetLoadImageNotifyRoutine
    • PsGetProcessImageFileName
    • PsLookupProcessByProcessId
    • MmGetSystemRoutineAddress
    • RtlGetVersion
    • FsRtlIsNameInExpression
    • wcsrchr
    • PsRemoveLoadImageNotifyRoutine
    • MmIsAddressValid
    • ObfDereferenceObject
    • KeUnstackDetachProcess
    • ObOpenObjectByPointer
    • KeStackAttachProcess
    • ZwAllocateVirtualMemory
    • KeClearEvent
    • _wcsnicmp
    • ObCreateObject
    • IoFileObjectType
    • IoDriverObjectType
    • MmMapLockedPagesSpecifyCache
    • IoGetCurrentProcess
    • _vsnwprintf
    • KeQueryTimeIncrement
    • IoGetDeviceAttachmentBaseRef
    • IoFreeIrp
    • IoAllocateIrp
    • RtlCompareUnicodeString
    • CmRegisterCallback
    • PsGetCurrentProcessId
    • RtlCopyUnicodeString
    • CmCallbackGetKeyObjectID
    • ZwEnumerateKey
    • strstr
    • KeDelayExecutionThread
    • ExSystemTimeToLocalTime
    • RtlTimeToTimeFields
    • RtlMultiByteToUnicodeN
    • IoBuildDeviceIoControlRequest
    • IoGetRelatedDeviceObject
    • IoFreeMdl
    • IoCancelIrp
    • MmProbeAndLockPages
    • IoAllocateMdl
    • IofCallDriver
    • ZwMapViewOfSection
    • ExGetPreviousMode
    • ZwQuerySystemInformation
    • ZwUnmapViewOfSection
    • ZwCreateSection
    • ExFreePool
    • KeBugCheckEx
    • __C_specific_handler

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0a005d2e2bcd4137168217d8c727747c",
      "Signature": "e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., CN=Beijing JoinHope Image Technology Ltd.",
      "TBS": {
        "MD5": "4d213d99215f488050faaa39765656d1",
        "SHA1": "0308508b5a3fcd330bbf28931f8e1a9c93c3ee69",
        "SHA256": "ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2",
        "SHA384": "430e932514f35ed55f31f050f33bcc0b9244fd83c6d1d28ee240306e54292e93b5894ef4eb9c09bf84cdc8068c6a7230"
      },
      "ValidFrom": "2014-05-16 00:00:00",
      "ValidTo": "2015-05-16 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "611993e400000000001c",
      "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5",
      "TBS": {
        "MD5": "78a717e082dcc1cda3458d917e677d14",
        "SHA1": "4a872e0e51f9b304469cd1dedb496ee9b8b983a4",
        "SHA256": "317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8",
        "SHA384": "b71052da4eb9157c8c1a5d7f55df19d69b9128598b72fcca608e5b7cc7d64c43c5504b9c86355a6dc22ee40c88cc385c"
      },
      "ValidFrom": "2011-02-22 19:25:17",
      "ValidTo": "2021-02-22 19:35:17",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "5200e5aa2556fc1a86ed96c9d44b33c7",
      "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
      "TBS": {
        "MD5": "b30c31a572b0409383ed3fbe17e56e81",
        "SHA1": "4843a82ed3b1f2bfbee9671960e1940c942f688d",
        "SHA256": "03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9",
        "SHA384": "bbda8407c4f9fc4e54d772f1c7fb9d30bc97e1f97ecd51c443063d1fa0644e266328781776cd5c44896c457c75f4d7da"
      },
      "ValidFrom": "2010-02-08 00:00:00",
      "ValidTo": "2020-02-07 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
      "SerialNumber": "0a005d2e2bcd4137168217d8c727747c",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09