HookSignTool is a malware that serves as a driver signature forging tool, altering the signing date of a driver during the signing process. This is achieved by hooking into the Windows API and manually modifying the import table of a legitimate code signing tool. The HookSignTool has been publicly available on GitHub since January 7, 2020. It has been used to re-sign cracked drivers to bypass digital rights management (DRM) integrity checks, with an instance of its use recorded on November 9, 2022, when an actor named "Juno_Jr" released a cracked version of PrimoCache, a legitimate software caching solution, in a Chinese software cracking forum.
The malware has also been utilized by a previously undocumented driver known as RedDriver to forge its signature timestamp. RedDriver uses Microsoft's own Windows Filtering Platform (WFP), functioning as a browser-hijacker driver and employing utilities like the HookSignTool to bypass Windows driver-signing policies. Cisco Talos outlined these findings in a separate post, explaining how the malicious drivers leverage signature timestamp forging software such as HookSignTool and another tool, FuckCertVerifyTimeValidity, which has been publicly available since 2018.
In addition to its use by RedDriver, HookSignTool has been used to manipulate the signing date of malicious drivers before July 29th, 2015. This exploitation allows threat actors to use old and leaked certificates that are not revoked for driver signing, achieving privilege escalation on Windows. Redmond has since revoked code-signing certificates used to sign and install malicious kernel-mode drivers on compromised systems, which were exploiting a Windows policy loophole to alter the signing date of drivers using open-source tools like HookSignTool and FuckCertVerifyTimeValidity.
Description last updated: 2024-05-04T23:49:05.081Z