[rootbsd]

Hi,
I published an article concerning a driver signing policy bypass there: http://www.sekoia.fr/blog/windows-drive ... y-derusbi/
The philosophy is the same than Uroburos/Turla (exploit a vuln on a legit signed driver) but the implementation is completely different.

PS: I attached the sample.

P.

[Blaze]

Derusbi for 64-bit Linux.

https://www.fidelissecurity.com/sites/d ... 283%29.pdf (PDF)

In the summer of 2015, Fidelis Cybersecurity had the opportunity to analyze a Derusbi malware sample used as part
of a campaign we’ve labeled Turbo, for the associated kernel module that was deployed. Derusbi has been widely
covered and associated with Chinese threat actors. This malware has been reported to have been used in high
profile breaches like the ones at Wellpoint/Anthem, VAE Inc, USIS and Mitsubishi Heavy Industries. Every one of these
campaigns involved a Windows version of Derusbi.

[sww]

Looking for Linux KM sample [wil not share, if you want]. PM me. Thanks in advance!