This is not the first time that such an incident has taken place. Netfilter was discovered and reported on the G Data Blog in June of this year with a Microsoft-issued digital signature from March. Netfilter was reported to be communicating with Chinese servers.
As of Windows 10 v1607 all drivers are required to be digitally signed before they can be installed. According to Bitdefender, components of this new malware started appearing in late 2020, but detections only rose to prominence in the past couple of months.
The report states that "FiveSys is very similar in nature to the Undead malware described in this report [in Chinese] a few years ago. The attackers seem to originate from China and target several domestic games. We can confidently attribute this campaign to several threat actors, as their tools share the same functionality but are vastly different in implementation."
Further, the report makes very clear that one of the primary tasks of the malware, once installed, is to disrupt the operation of any other: "Rootkit creators commonly employ the practice of blocking competing malware via a signature blacklist of stolen certificates used by other malware." This software does exactly that.
Bitdefender quickly reported the malware to Microsoft and the certificate was revoked soon after.
We are interested to understand how this driver was given a Microsoft digital signature (by Microsoft) and how they propose to improve the security of the process. The company has been contacted for a response.
The full Bitdefender report is available here for further reading.