Microsoft tests drivers before assigning them a digital certificate that approves them to be installed by default. Somehow, a driver called Netfilter that redirects traffic to an IP in China and installs a root certificate to the registry managed to make it through that testing without being detected as malware.
Karsten Hahn, a malware analyst at G Data, found the malicious driver and notified Microsoft, "who promptly added malware signatures to Windows Defender and are now conducting an internal investigation." Microsoft also suspended the account that submitted the driver, and is currently going over their previous submissions.
Microsoft's security response center team described the malware's activity as "limited to the gaming sector specifically in China" and explained its purpose: "The actor's goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers."
How did this happen? Right now, nobody knows. Windows users are advised, "There are no actions customers should take other than follow security best practices and deploy Antivirus software such as Windows Defender for Endpoint."
