{
	"id": "6aee91e0-ab9d-4d05-b993-41e2671444ff",
	"created_at": "2026-04-06T00:09:36.439066Z",
	"updated_at": "2026-04-10T03:20:47.276014Z",
	"deleted_at": null,
	"sha1_hash": "d3553bede4568ca9d6b762f8fcd39f6c589c2eb7",
	"title": "Fast Insights for a Microsoft-Signed Netfilter Rootkit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3676088,
	"plain_text": "Fast Insights for a Microsoft-Signed Netfilter Rootkit\r\nBy Giancarlo Lezama\r\nPublished: 2021-08-10 · Archived: 2026-04-05 21:20:14 UTC\r\nAutomate malware analysis of Netfilter rootkit and other advanced threats. Obtain\r\ndeep insights without long, manual effort.\r\nNews broke in June about a malicious Netfilter rootkit signed by Microsoft. This was significant in that Windows\r\nmachines only run drivers with valid signatures. Since drivers can obtain the maximum level of permissions on a\r\nmachine, they are gold for any threat actor who can obtain such access.\r\nThanks to malware analysts like Karsten Hahn, additional samples of this malware dating back to March were\r\nuncovered, along with details on how they operate. Let’s look at the genetic analysis of these samples to see how\r\nyou can quickly identify them as Netfilter rootkit, as well as understand their capabilities and obtain similar\r\nartifacts despite the valid signature.\r\nThe Netfilter rootkit was found in a driver signed by Microsoft. This rare technique bypasses defenses, such as\r\nAntivirus tools, by making the file appear legitimate, despite the fact that it is tampered with malicious code.\r\nObfuscated strings were also found in this file, which is very uncommon for a legitimate file. When the file is\r\nexecuted, other URLs can be identified, each with a specific purpose, including redirecting infected endpoints to\r\nother IP addresses; for self-updating the malware and receiving the valid root certificate.\r\nDetection of malware with valid signatures is challenging. Since these samples are signed legitimately by\r\nMicrosoft, even Antivirus software can be fooled into trusting them. An analyst could try investigating the\r\nabnormal network connections made to the URLs during execution. The URLs might be useful for this variant but\r\nthere is no way of telling what changes could be made to URLs in future malware variants, or whether the external\r\nserver the rootkit connects to is hidden from network detection tools through methods such as DynDNS or\r\nproxies. Not to mention, how do you know the full extent of the capabilities in the driver? Once a rootkit is\r\nexecuted, it will totally own a machine with maximum permissions, hiding its activities from even endpoint\r\ndetection solutions.\r\nLet’s take a look at the analysis of the Netfilter Dropper sample referenced in the aforementioned article.\r\nhttps://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/\r\nPage 1 of 5\n\nWith Intezer Analyze you can analyze malware threats in seconds, with every tool you need to do so in one place:\r\ngenetic code analysis, sandboxing, memory analysis and static analysis.\r\nThe original file is classified as Netfilter rootkit, where an analysis of the code finds that the file shares 41 code\r\ngenes, or about 81% of its code (click Show common code), with previously identified Netfilter rootkit samples. It\r\nis clear that although the uploaded dropper has a valid signature, the code itself is identified as malicious and\r\nbelongs to the Netfilter rootkit.\r\nSometimes, an analysis isn’t always this easy. Files can be obfuscated by being packed, encoded, or delivered in\r\nthe form of installers. For this reason, Intezer also has the ability to statically extract relevant files packed in the\r\noriginal file, as well as dynamically execute the original file in order to see how it executes. In this particular\r\nanalysis, the driver is embedded in the dropper, which gets dropped onto the disk during execution in the sandbox.\r\nhttps://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/\r\nPage 2 of 5\n\nWith Intezer Analyze you don’t get a blackbox. Instead, you can see exactly in which malware samples the\r\nmalicious Netfilter rootkit code of the dropper (as well as the dropped files) have been seen before. \r\nIntezer’s sandboxing capabilities capture what the file did during execution within the context of the MITRE\r\nATT\u0026CK® framework. This provides an immediate sense of what suspicious or malicious activity the file is\r\ncapable of in order to help you assess the risk. The highest risk behavior found in this file is the ability to persist\r\non an endpoint by making adjustments to the Windows Registry.\r\nhttps://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/\r\nPage 3 of 5\n\nAnother interesting behavior is the resulting network activity from the file’s execution, providing us with network\r\nIoCs for this file. These network IoCs, along with the file’s IoCs uncovered when the file was executed or via\r\nstatic extraction, make up the full list of IoCs shown in a separate tab for ease of access.\r\nThe network IoCs are identical to the ones provided in the GData article, each with a distinct purpose as\r\nmentioned.\r\nTo summarize, there is a lot of information related to the investigation of this malware that can be easily extracted\r\nthrough genetic code analysis and other fundamental techniques with Intezer ‘s malware analysis tool.\r\nConsider that most malware must evolve into new variants in order to evade detection but their code mostly\r\nremains the same. Behavioral analysis and signatures can be evaded by advanced malware like this Netfilter\r\nrootkit, but the code doesn’t lie.\r\nIntezer Analyze covers every malware-related incident. Scan files, live machines, memory dumps and URLs\r\n(coming soon) to get fast verdicts, TTPs, IoCs and more. Sign up for free and start with 50 file uploads per month.\r\nhttps://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/\r\nPage 4 of 5\n\nSource: https://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/\r\nhttps://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/"
	],
	"report_names": [
		"fast-insights-for-a-microsoft-signed-netfilter-rootkit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434176,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d3553bede4568ca9d6b762f8fcd39f6c589c2eb7.pdf",
		"text": "https://archive.orkl.eu/d3553bede4568ca9d6b762f8fcd39f6c589c2eb7.txt",
		"img": "https://archive.orkl.eu/d3553bede4568ca9d6b762f8fcd39f6c589c2eb7.jpg"
	}
}