+ malicious network driver

From ema
Jump to navigation Jump to search
EMA ID: ema-1029
Description: Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are installed on the host machines, they can re-infect the server if it is restarted, can infect other machines on the network, and can redirect traffic on the network as they please.

These drivers can tunnel traffic from the outside into the network, allowing the attackers to access remote desktop sessions or to connect to servers inside the domain by using previously acquired credentials. Using the credentials, they can re-deploy the entire platform following a massive shutdown or power loss The malware persists on machines connected to the network even after reboot. Once the machine connects to the server, the malware repopulates itself on the server. This, in turn, infects the remaining machines on the network.

The malware exploits a zero-day kernel-level vulnerability in Microsoft's Win32k TrueType-Font.

Associated Capabilities/Subcapabilities: Capability.png Persistence

Associated With + malicious network driver
No results