Since at least May 2020, unknown attackers have been observed leveraging malicious Windows kernel drivers to conduct attacks, presumably targeting the Middle East.
Fortinet named Artifact Fortiguard Labs winter picks (WinTapix.sys) said there is low confidence that the malware is from Iranian actors.
“WinTapix.sys is essentially a loader,” security researchers Geri Revay and Hossein Jazi said in a report released Monday. “So its main purpose is to create and execute the next stage of the attack, which is done using shellcode.”
Samples and telemetry data analyzed by Fortinet indicate that the main focus of this campaign is Saudi Arabia, Jordan, Qatar, and the United Arab Emirates. This activity is not associated with any known attackers or groups.
Malicious kernel-mode drivers can be used to subvert or disable security mechanisms and gain greater access to the target host.
Because such drivers run in kernel memory, they can do anything, including modifying critical security mechanisms or executing arbitrary code with highest privileges.
In other words, it provides a stealthy way to penetrate deep into targeted systems, maintain persistence, and execute additional payloads and commands as part of the threat actor’s multi-stage attack.
.jpg "WinTapix.sys malware")
An important security measure for mitigating malicious drivers is driver signing enforcement, which allows only drivers signed by Microsoft to be loaded on the system. The tech giant also maintains driver blocking rules that protect against known vulnerable drivers.
WinTapix.sys, on the other hand, has an invalid signature, indicating that the threat actor must first load a legitimate but vulnerable driver to launch WINTAPIX.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
However, when WinTapix.sys is loaded into the kernel, it is configured to inject embedded shellcode into the appropriate user-mode process, which then executes the encrypted .NET payload.
WINTAPIX not only embeds shellcode created using the open source Donut project, but it also establishes persistence by modifying the Windows registry so that it can be loaded even when the machine is booted in safe mode. .
.NET malware is equipped with backdoor and proxy functionality to execute commands, download and upload files, and act as a proxy to pass data between two communication endpoints.
“Iranian attackers are known to exploit Exchange servers to deploy additional malware, so it’s possible that this driver was used in tandem with Exchange attacks,” the researchers said. .
“At that point, the driver compile times also coincided with the time period during which the Iranian attackers were exploiting vulnerabilities in Exchange servers.”
This development follows the observation that the ALPHV (a.k.a. BlackCat or Noberus) ransomware group utilized malicious signed drivers to undermine security defenses and remain undetected for long periods of time. I was.
According to a report by cybersecurity firm Trend Micro, the driver in question, ktgn.sys, is an updated version of POORTRY signed using a stolen or leaked cross-signed certificate.
POORTRY is the name assigned to the Windows kernel driver responsible for terminating security software. Late last year, it was revealed that the ransomware gang and he was being used by a threat actor known as UNC3944 (aka Roasted 0ktapus and Scattered Spider).
“Malicious attackers willing to seek highly privileged access to Windows operating systems will attempt to counter the increased protection of users and processes by Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) technologies. method,” Trend Micro said. .
“These malicious actors also tend to be well-financed to purchase rootkits from underground sources or purchase code-signing certificates to build them. ”
