Hooksigntool

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
HookSignTool is a malware that serves as a driver signature forging tool, altering the signing date of a driver during the signing process. This is achieved by hooking into the Windows API and manually modifying the import table of a legitimate code signing tool. The HookSignTool has been publicly available on GitHub since January 7, 2020. It has been used to re-sign cracked drivers to bypass digital rights management (DRM) integrity checks, with an instance of its use recorded on November 9, 2022, when an actor named "Juno_Jr" released a cracked version of PrimoCache, a legitimate software caching solution, in a Chinese software cracking forum. The malware has also been utilized by a previously undocumented driver known as RedDriver to forge its signature timestamp. RedDriver uses Microsoft's own Windows Filtering Platform (WFP), functioning as a browser-hijacker driver and employing utilities like the HookSignTool to bypass Windows driver-signing policies. Cisco Talos outlined these findings in a separate post, explaining how the malicious drivers leverage signature timestamp forging software such as HookSignTool and another tool, FuckCertVerifyTimeValidity, which has been publicly available since 2018. In addition to its use by RedDriver, HookSignTool has been used to manipulate the signing date of malicious drivers before July 29th, 2015. This exploitation allows threat actors to use old and leaked certificates that are not revoked for driver signing, achieving privilege escalation on Windows. Redmond has since revoked code-signing certificates used to sign and install malicious kernel-mode drivers on compromised systems, which were exploiting a Windows policy loophole to alter the signing date of drivers using open-source tools like HookSignTool and FuckCertVerifyTimeValidity.
What's your take? (Question 1 of 0)
f4ffc6da-eed9-4db3-9943-b332111b142c Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Hooksigntool Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers
CERT-EU
a year ago
Hackers Exploit Windows Policy Loophole to Forge Kernel-Mode Driver Signatures
CERT-EU
a year ago
Windows Policy Loophole Let Hackers to Install Malicious Kernel Mode Drivers
DARKReading
a year ago
Hackers Exploit Policy Loophole in Windows Kernel Drivers
CERT-EU
10 months ago
RedDriver never BSOD'd, perhaps a thing even AMD, Nvidia, Microsoft, or Intel can't brag
CERT-EU
a year ago
Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack
Krebs on Security
a year ago
Apple & Microsoft Patch Tuesday, July 2023 Edition