9713603a-53bf-4907-a304-b422db741fc6

typelibdE.sys :inline :inline

Description

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver has been active since at least 2021. RedDriver utilizes HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies. Code from multiple open-source tools has been used in the development of RedDriver's infection chain, including HP-Socket and a custom implementation of ReflectiveLoader. The authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows operating system. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves.

  • UUID: 9713603a-53bf-4907-a304-b422db741fc6
  • Created: 2023-07-12
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create typelibdE.sys binPath=C:\windows\temp\typelibdE.sys type=kernel && sc.exe start typelibdE.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://blog.talosintelligence.com/undocumented-reddriver/

  • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2023-04-10 19:59:25
    MD52406ea37152d2154be3fef6d69ada2c6
    SHA1b6eb40ea52b47f03edb8f45e2e431b5f666df8c5
    SHA2564f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85
    Authentihash MD50a1afc7458bc0043c28e2a3d3c55218f
    Authentihash SHA1174f3d13b28fd23e4f5113822ec18cffe7977c44
    Authentihash SHA25681f4258c5aee1bfe424880fbc61a1928a816014c502f010be03becbb42e648fb
    RichPEHeaderHash MD53e8b77121573e70b98f26828a7ec2cc0
    RichPEHeaderHash SHA193e009f2ef2ebc8e6f91afb0407312e379d114c1
    RichPEHeaderHash SHA2566c46fc6908d6505c93eae0f2e772f203724356a3d89ae8b31d9060ee718ea32f

    Download

    Certificates

    Expand
    Certificate 71a0b73695ddb1afc23b2b9a18ee54cb
    FieldValue
    ToBeSigned (TBS) MD58314595952398203ab24badbbc927d39
    ToBeSigned (TBS) SHA1b07dcf73133408eee2786a208ce4b2543bf6c583
    ToBeSigned (TBS) SHA256c734685d985b8ea13db4fc1a6dcd26aa0dde78b4c3b651ea5d58e32e081b2a41
    SubjectC=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA
    ValidFrom2013-12-10 00:00:00
    ValidTo2023-12-09 23:59:59
    Signature243bf5d7a03613c743fef0098768d198316e12e43f1e1f967b6b4c1e879e8bc56ca3b10c7b5092d5819cb18f2c29b7eef99105b98e41f12cf6d0592d98e0b9ea8001474095b83d9d03bd79bb35b6ad9c4c27f6674510c9c5bc874e557bd287bbdddc30efc6d46ccc99356d1ce060d3cd688f29594b89960846c98efc754fc5dc09cc4e278b44cd07bcac04e0b533a5879ff4dd730c91ea12816fe375f01eb5936c4417d53e97c9bd072c56771f85dd46e8bfde2c8194a3f7e5b7a7c1379f75ca55774d5e3629ca85d84541725775c0795bfa3410066d642042b73ac81f1d4664025fc647bef0c43a2854daf61e4f9aa21943a46f49f8fc5e422028848b47206e
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber71a0b73695ddb1afc23b2b9a18ee54cb
    Version3
    Certificate 0dbdf488aeaa9795e332a1ca2747af0d
    FieldValue
    ToBeSigned (TBS) MD55037c865c427f7d514ac954ef7e66ccf
    ToBeSigned (TBS) SHA1cfcc3ebb5c9003e88373beb66781dbdf9e1904d2
    ToBeSigned (TBS) SHA256cd684ad96d510b669c0767e4b845fb7a04fba27c1f3a0935b09a988d94938f6e
    SubjectC=CN, L=, O=, OU=, CN=
    ValidFrom2018-08-15 00:00:00
    ValidTo2019-08-15 23:59:59
    Signature3ebdf2009f802c1033d2a14df88ed84c6282db1e8d19d6324b21ffb8e69fbc0752d101bd22ab4fae6c8c45bb82b7ba0d9a7213d7a29a2f587bdf68c7ae3ab6f9ed7cc23e27d6f44a0a5311124381f6f9bdeec2e19c59fc7362d5d59f09951b8ffa03215e5679ae4bcffe45b7059426a96c2897107c07b2b3e6cbcbee46527908db76f7a1bf2af19c986eba31504c9c5c3cb34e81ba2a1eb55965a2d192820cac79f640a3e9672bb507dc3a561de5d94f9a0105a355f42bea235ea5349d7d2b104a71c56640e0170433fe1ef075d9f865f17be8989b590765917215c0f7b709e9820f7106dff8cec57d59ee2777cec96f8b1de8e3a93bc7e7b757d87c9888b9a2
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0dbdf488aeaa9795e332a1ca2747af0d
    Version3
    Certificate 611fb0a400000000001d
    FieldValue
    ToBeSigned (TBS) MD5a3f222107d4e1085e73b5b589c2f480b
    ToBeSigned (TBS) SHA1b94aa26cd77c48d91a53ac44506cbd255e1d362c
    ToBeSigned (TBS) SHA256a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa
    SubjectC=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA
    ValidFrom2011-02-22 19:31:57
    ValidTo2021-02-22 19:41:57
    Signature2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611fb0a400000000001d
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • RtlCompareMemory
    • ExAllocatePool
    • ExFreePoolWithTag
    • CmRegisterCallback
    • PsCreateSystemThread
    • ZwClose
    • MmIsAddressValid
    • PsSetCreateProcessNotifyRoutine
    • PsSetCreateThreadNotifyRoutine
    • PsSetLoadImageNotifyRoutine
    • __C_specific_handler
    • RtlInitUnicodeString
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • ObfDereferenceObject
    • PsGetCurrentProcessId
    • ZwOpenProcess
    • PsLookupProcessByProcessId
    • ZwWaitForSingleObject
    • PsReferenceProcessFilePointer
    • RtlCompareUnicodeStrings
    • KeEnterCriticalRegion
    • KeLeaveCriticalRegion
    • KeWaitForSingleObject
    • ExQueryDepthSList
    • ExpInterlockedPopEntrySList
    • ExpInterlockedPushEntrySList
    • ExInitializeNPagedLookasideList
    • ExInitializeResourceLite
    • ExAcquireResourceSharedLite
    • ExAcquireResourceExclusiveLite
    • ExReleaseResourceLite
    • PsTerminateSystemThread
    • ObReferenceObjectByHandle
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • PsGetProcessWow64Process
    • PsGetProcessImageFileName
    • ZwCreateFile
    • ZwQueryInformationFile
    • ZwReadFile
    • ExAllocatePoolWithTag
    • MmGetSystemRoutineAddress
    • IoGetCurrentProcess
    • PsGetProcessId
    • PsProcessType
    • PsGetProcessPeb
    • RtlInitAnsiString
    • RtlAnsiStringToUnicodeString
    • RtlFreeUnicodeString
    • _vsnprintf
    • _vsnwprintf
    • RtlGetVersion
    • KeInitializeEvent
    • KeQueryTimeIncrement
    • RtlRandomEx
    • ZwSetInformationFile
    • ZwWriteFile
    • IoFileObjectType
    • ZwTerminateProcess
    • KeBugCheckEx
    • RtlCopyUnicodeString
    • _wcslwr
    • wcsstr
    • ExSystemTimeToLocalTime
    • RtlTimeToTimeFields
    • WdfVersionBindClass
    • WdfVersionBind
    • WdfVersionUnbind
    • WdfVersionUnbindClass

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • .gfids
    • INIT
    • .reloc

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "71a0b73695ddb1afc23b2b9a18ee54cb",
          "Signature": "243bf5d7a03613c743fef0098768d198316e12e43f1e1f967b6b4c1e879e8bc56ca3b10c7b5092d5819cb18f2c29b7eef99105b98e41f12cf6d0592d98e0b9ea8001474095b83d9d03bd79bb35b6ad9c4c27f6674510c9c5bc874e557bd287bbdddc30efc6d46ccc99356d1ce060d3cd688f29594b89960846c98efc754fc5dc09cc4e278b44cd07bcac04e0b533a5879ff4dd730c91ea12816fe375f01eb5936c4417d53e97c9bd072c56771f85dd46e8bfde2c8194a3f7e5b7a7c1379f75ca55774d5e3629ca85d84541725775c0795bfa3410066d642042b73ac81f1d4664025fc647bef0c43a2854daf61e4f9aa21943a46f49f8fc5e422028848b47206e",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
          "Subject": "C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA",
          "TBS": {
            "MD5": "8314595952398203ab24badbbc927d39",
            "SHA1": "b07dcf73133408eee2786a208ce4b2543bf6c583",
            "SHA256": "c734685d985b8ea13db4fc1a6dcd26aa0dde78b4c3b651ea5d58e32e081b2a41",
            "SHA384": "874ded773c743b4e18744d7978b41cfe2e55529c61d45a0e34b3950aaad56b6c7a3780880133bcd1df3b1f86d468d46d"
          },
          "ValidFrom": "2013-12-10 00:00:00",
          "ValidTo": "2023-12-09 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "0dbdf488aeaa9795e332a1ca2747af0d",
          "Signature": "3ebdf2009f802c1033d2a14df88ed84c6282db1e8d19d6324b21ffb8e69fbc0752d101bd22ab4fae6c8c45bb82b7ba0d9a7213d7a29a2f587bdf68c7ae3ab6f9ed7cc23e27d6f44a0a5311124381f6f9bdeec2e19c59fc7362d5d59f09951b8ffa03215e5679ae4bcffe45b7059426a96c2897107c07b2b3e6cbcbee46527908db76f7a1bf2af19c986eba31504c9c5c3cb34e81ba2a1eb55965a2d192820cac79f640a3e9672bb507dc3a561de5d94f9a0105a355f42bea235ea5349d7d2b104a71c56640e0170433fe1ef075d9f865f17be8989b590765917215c0f7b709e9820f7106dff8cec57d59ee2777cec96f8b1de8e3a93bc7e7b757d87c9888b9a2",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
          "Subject": "C=CN, L=, O=, OU=, CN=",
          "TBS": {
            "MD5": "5037c865c427f7d514ac954ef7e66ccf",
            "SHA1": "cfcc3ebb5c9003e88373beb66781dbdf9e1904d2",
            "SHA256": "cd684ad96d510b669c0767e4b845fb7a04fba27c1f3a0935b09a988d94938f6e",
            "SHA384": "30bf56d04a2a54ae834ea9b111da02fe53c0c13ddd66f815aed8100bb887c6d5b299e518ba1f4abc0f2c3bb02029141b"
          },
          "ValidFrom": "2018-08-15 00:00:00",
          "ValidTo": "2019-08-15 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "611fb0a400000000001d",
          "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA",
          "TBS": {
            "MD5": "a3f222107d4e1085e73b5b589c2f480b",
            "SHA1": "b94aa26cd77c48d91a53ac44506cbd255e1d362c",
            "SHA256": "a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa",
            "SHA384": "64b7643e4146016cbf83c911eb67e4601b6bb8d66f8ee8dcee67b815f91770d86ab23678b984430f22a963e5484881b7"
          },
          "ValidFrom": "2011-02-22 19:31:57",
          "ValidTo": "2021-02-22 19:41:57",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA",
          "SerialNumber": "0dbdf488aeaa9795e332a1ca2747af0d",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2024-09-26