b759adfa-b353-4ca3-9dfb-8fadf7a437eb

spwizimgVT.sys :inline :inline

Description

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver has been active since at least 2021. RedDriver utilizes HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies. Code from multiple open-source tools has been used in the development of RedDriver's infection chain, including HP-Socket and a custom implementation of ReflectiveLoader. The authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows operating system. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves.

  • UUID: b759adfa-b353-4ca3-9dfb-8fadf7a437eb
  • Created: 2023-07-12
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the malicious driver!

Commands

sc.exe create spwizimgVT.sys binPath=C:\windows\temp\spwizimgVT.sys type=kernel && sc.exe start spwizimgVT.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://blog.talosintelligence.com/undocumented-reddriver/

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2023-05-15 01:22:31
    MD55917e415a5bf30b3fcbcbcb8a4f20ee0
    SHA14dd86ff6f7180abebcb92e556a486abe7132754c
    SHA25630061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3
    Authentihash MD5d4b2c5fa7675cb780e8d4bc6bee7e41c
    Authentihash SHA169fb9f2483c8e571780175dd607d455d9ed8ce47
    Authentihash SHA256c9fbff8b749a1f580b5b5b9e59ec3ffd769b4179970b82e32a3d36e7a3a8cb1a
    RichPEHeaderHash MD5ceb1860de56dcebdf714302cb649ff71
    RichPEHeaderHash SHA1a03c600569d3c813667c3520788e423f1c5eed0f
    RichPEHeaderHash SHA25639e0e1bb3f0a24fd42b1e55d492f5b87a926d6689b172c3475e1898f737be750

    Download

    Certificates

    Expand
    Certificate 71a0b73695ddb1afc23b2b9a18ee54cb
    FieldValue
    ToBeSigned (TBS) MD58314595952398203ab24badbbc927d39
    ToBeSigned (TBS) SHA1b07dcf73133408eee2786a208ce4b2543bf6c583
    ToBeSigned (TBS) SHA256c734685d985b8ea13db4fc1a6dcd26aa0dde78b4c3b651ea5d58e32e081b2a41
    SubjectC=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA
    ValidFrom2013-12-10 00:00:00
    ValidTo2023-12-09 23:59:59
    Signature243bf5d7a03613c743fef0098768d198316e12e43f1e1f967b6b4c1e879e8bc56ca3b10c7b5092d5819cb18f2c29b7eef99105b98e41f12cf6d0592d98e0b9ea8001474095b83d9d03bd79bb35b6ad9c4c27f6674510c9c5bc874e557bd287bbdddc30efc6d46ccc99356d1ce060d3cd688f29594b89960846c98efc754fc5dc09cc4e278b44cd07bcac04e0b533a5879ff4dd730c91ea12816fe375f01eb5936c4417d53e97c9bd072c56771f85dd46e8bfde2c8194a3f7e5b7a7c1379f75ca55774d5e3629ca85d84541725775c0795bfa3410066d642042b73ac81f1d4664025fc647bef0c43a2854daf61e4f9aa21943a46f49f8fc5e422028848b47206e
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber71a0b73695ddb1afc23b2b9a18ee54cb
    Version3
    Certificate 0dbdf488aeaa9795e332a1ca2747af0d
    FieldValue
    ToBeSigned (TBS) MD55037c865c427f7d514ac954ef7e66ccf
    ToBeSigned (TBS) SHA1cfcc3ebb5c9003e88373beb66781dbdf9e1904d2
    ToBeSigned (TBS) SHA256cd684ad96d510b669c0767e4b845fb7a04fba27c1f3a0935b09a988d94938f6e
    SubjectC=CN, L=, O=, OU=, CN=
    ValidFrom2018-08-15 00:00:00
    ValidTo2019-08-15 23:59:59
    Signature3ebdf2009f802c1033d2a14df88ed84c6282db1e8d19d6324b21ffb8e69fbc0752d101bd22ab4fae6c8c45bb82b7ba0d9a7213d7a29a2f587bdf68c7ae3ab6f9ed7cc23e27d6f44a0a5311124381f6f9bdeec2e19c59fc7362d5d59f09951b8ffa03215e5679ae4bcffe45b7059426a96c2897107c07b2b3e6cbcbee46527908db76f7a1bf2af19c986eba31504c9c5c3cb34e81ba2a1eb55965a2d192820cac79f640a3e9672bb507dc3a561de5d94f9a0105a355f42bea235ea5349d7d2b104a71c56640e0170433fe1ef075d9f865f17be8989b590765917215c0f7b709e9820f7106dff8cec57d59ee2777cec96f8b1de8e3a93bc7e7b757d87c9888b9a2
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0dbdf488aeaa9795e332a1ca2747af0d
    Version3
    Certificate 611fb0a400000000001d
    FieldValue
    ToBeSigned (TBS) MD5a3f222107d4e1085e73b5b589c2f480b
    ToBeSigned (TBS) SHA1b94aa26cd77c48d91a53ac44506cbd255e1d362c
    ToBeSigned (TBS) SHA256a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa
    SubjectC=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA
    ValidFrom2011-02-22 19:31:57
    ValidTo2021-02-22 19:41:57
    Signature2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611fb0a400000000001d
    Version3

    Imports

    Expand
    • fwpkclnt.sys
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • FwpsReleaseClassifyHandle0
    • FwpsAcquireClassifyHandle0
    • FwpsApplyModifiedLayerData0
    • FwpsAcquireWritableLayerDataPointer0
    • FwpsCalloutRegister1
    • RtlCompareMemory
    • ExAllocatePool
    • ExFreePoolWithTag
    • CmRegisterCallback
    • PsCreateSystemThread
    • ZwClose
    • MmIsAddressValid
    • PsSetCreateProcessNotifyRoutine
    • PsSetCreateThreadNotifyRoutine
    • PsSetLoadImageNotifyRoutine
    • __C_specific_handler
    • RtlInitUnicodeString
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • ObfDereferenceObject
    • PsGetCurrentProcessId
    • ZwOpenProcess
    • PsLookupProcessByProcessId
    • ZwWaitForSingleObject
    • PsReferenceProcessFilePointer
    • RtlCompareUnicodeStrings
    • KeEnterCriticalRegion
    • KeLeaveCriticalRegion
    • KeWaitForSingleObject
    • ExQueryDepthSList
    • ExpInterlockedPopEntrySList
    • ExpInterlockedPushEntrySList
    • ExInitializeNPagedLookasideList
    • ExInitializeResourceLite
    • ExAcquireResourceSharedLite
    • ExAcquireResourceExclusiveLite
    • ExReleaseResourceLite
    • PsTerminateSystemThread
    • ObReferenceObjectByHandle
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • PsGetProcessWow64Process
    • PsGetProcessImageFileName
    • ZwCreateFile
    • ZwQueryInformationFile
    • ZwReadFile
    • ExAllocatePoolWithTag
    • MmGetSystemRoutineAddress
    • KeAcquireInStackQueuedSpinLock
    • KeReleaseInStackQueuedSpinLock
    • RtlIpv4AddressToStringA
    • IoGetCurrentProcess
    • PsGetProcessId
    • PsProcessType
    • PsGetProcessPeb
    • RtlInitAnsiString
    • RtlAnsiStringToUnicodeString
    • RtlFreeUnicodeString
    • _vsnprintf
    • _vsnwprintf
    • RtlGetVersion
    • KeInitializeEvent
    • KeQueryTimeIncrement
    • RtlRandomEx
    • ZwSetInformationFile
    • ZwWriteFile
    • IoFileObjectType
    • ZwTerminateProcess
    • RtlCopyUnicodeString
    • KeBugCheckEx
    • _wcslwr
    • wcsstr
    • ExSystemTimeToLocalTime
    • RtlTimeToTimeFields
    • WdfVersionBind
    • WdfVersionBindClass
    • WdfVersionUnbindClass
    • WdfVersionUnbind

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • .gfids
    • INIT
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "71a0b73695ddb1afc23b2b9a18ee54cb",
      "Signature": "243bf5d7a03613c743fef0098768d198316e12e43f1e1f967b6b4c1e879e8bc56ca3b10c7b5092d5819cb18f2c29b7eef99105b98e41f12cf6d0592d98e0b9ea8001474095b83d9d03bd79bb35b6ad9c4c27f6674510c9c5bc874e557bd287bbdddc30efc6d46ccc99356d1ce060d3cd688f29594b89960846c98efc754fc5dc09cc4e278b44cd07bcac04e0b533a5879ff4dd730c91ea12816fe375f01eb5936c4417d53e97c9bd072c56771f85dd46e8bfde2c8194a3f7e5b7a7c1379f75ca55774d5e3629ca85d84541725775c0795bfa3410066d642042b73ac81f1d4664025fc647bef0c43a2854daf61e4f9aa21943a46f49f8fc5e422028848b47206e",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA",
      "TBS": {
        "MD5": "8314595952398203ab24badbbc927d39",
        "SHA1": "b07dcf73133408eee2786a208ce4b2543bf6c583",
        "SHA256": "c734685d985b8ea13db4fc1a6dcd26aa0dde78b4c3b651ea5d58e32e081b2a41",
        "SHA384": "874ded773c743b4e18744d7978b41cfe2e55529c61d45a0e34b3950aaad56b6c7a3780880133bcd1df3b1f86d468d46d"
      },
      "ValidFrom": "2013-12-10 00:00:00",
      "ValidTo": "2023-12-09 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0dbdf488aeaa9795e332a1ca2747af0d",
      "Signature": "3ebdf2009f802c1033d2a14df88ed84c6282db1e8d19d6324b21ffb8e69fbc0752d101bd22ab4fae6c8c45bb82b7ba0d9a7213d7a29a2f587bdf68c7ae3ab6f9ed7cc23e27d6f44a0a5311124381f6f9bdeec2e19c59fc7362d5d59f09951b8ffa03215e5679ae4bcffe45b7059426a96c2897107c07b2b3e6cbcbee46527908db76f7a1bf2af19c986eba31504c9c5c3cb34e81ba2a1eb55965a2d192820cac79f640a3e9672bb507dc3a561de5d94f9a0105a355f42bea235ea5349d7d2b104a71c56640e0170433fe1ef075d9f865f17be8989b590765917215c0f7b709e9820f7106dff8cec57d59ee2777cec96f8b1de8e3a93bc7e7b757d87c9888b9a2",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=CN, L=, O=, OU=, CN=",
      "TBS": {
        "MD5": "5037c865c427f7d514ac954ef7e66ccf",
        "SHA1": "cfcc3ebb5c9003e88373beb66781dbdf9e1904d2",
        "SHA256": "cd684ad96d510b669c0767e4b845fb7a04fba27c1f3a0935b09a988d94938f6e",
        "SHA384": "30bf56d04a2a54ae834ea9b111da02fe53c0c13ddd66f815aed8100bb887c6d5b299e518ba1f4abc0f2c3bb02029141b"
      },
      "ValidFrom": "2018-08-15 00:00:00",
      "ValidTo": "2019-08-15 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "611fb0a400000000001d",
      "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA",
      "TBS": {
        "MD5": "a3f222107d4e1085e73b5b589c2f480b",
        "SHA1": "b94aa26cd77c48d91a53ac44506cbd255e1d362c",
        "SHA256": "a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa",
        "SHA384": "64b7643e4146016cbf83c911eb67e4601b6bb8d66f8ee8dcee67b815f91770d86ab23678b984430f22a963e5484881b7"
      },
      "ValidFrom": "2011-02-22 19:31:57",
      "ValidTo": "2021-02-22 19:41:57",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA",
      "SerialNumber": "0dbdf488aeaa9795e332a1ca2747af0d",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09