Threat actors leverage kernel drivers in new attacks
Fortinet detailed a campaign using a malicious driver in attacks against organizations in the Middle East, and Trend Micro detailed a driver-based attack by BlackCat ransomware.
Threat actors are leveraging malicious kernel-level drivers in two separate campaigns detailed on Monday by Fortinet and Trend Micro.
Kernel-level threats are considered serious due to the complete access a compromise at that level provides a threat actor. Fortinet's Monday research concerns WinTapix, a driver used primarily in attacks against organizations in the Middle East, and Trend Micro's concerns a campaign conducted by ransomware gang BlackCat, also known as Alphv.
Fortinet researchers Geri Revay and Hossein Jazi said in a blog post that WinTapix.sys was being used as a loader in "targeted attacks against countries in the Middle East." Though no formal attribution was made, the researchers assessed with low confidence based on telemetry that an Iranian threat actor was conducting the attacks.
"We still do not have enough information about how this driver has been distributed and who was behind these operations," the blog post read. "Based on the victimology, we suspect an Iranian threat actor developed this driver. Observed telemetry shows that while this driver has primarily targeted Saudi Arabia, it has also been detected in Jordan, Qatar, and the United Arab Emirates, which are the classic targets of Iranian threat actors."
Revay and Jazi further speculated that Microsoft Exchange servers may have been involved in the campaign as "Iranian threat actors are known to exploit Exchange servers to deploy additional malware." Additionally, the driver was first compiled in May 2020, which the researchers said lines up with when Iranian threat actors were actively exploiting Exchange flaws. However, as the post noted, "the attribution process of this driver is still ongoing."
Jazi told TechTarget Editorial that Fortinet is not currently aware of the verticals being targeted or the aim of the threat actors as research is ongoing, but added that in general, "Iranian APTs are mainly performing cyber espionage operations, especially on targets like Saudi Arabia."
Trend Micro's Monday blog post detailed a ransomware attack the vendor tracked that involved BlackCat ransomware.
The post authors, which included Trend Micro researchers Sherif Magdy and Mohamed Fahmy as well as incident response analysts Bahaa Yamany and Mahmoud Zohdy, said the BlackCat attack lined up with malicious drivers first disclosed simultaneously by Mandiant, Sophos and SentinelOne in December. The vendors reported malicious kernel drivers "being signed through several Microsoft hardware developer accounts."
The post said BlackCat attempted to deploy an old driver, signed through Microsoft and disclosed by Mandiant late last year.
"The attackers tried to deploy the old driver disclosed by Mandiant, which is signed through Microsoft (SHA256: b2f955b3e6107f831ebe67997f8586d4fe9f3e98)," the post read. "Since this driver has already been previously known and detected, the malicious actors deployed another kernel driver signed by a stolen or leaked cross-signing certificate."
The second driver "was used with a separate user client executable in an attempt to control, pause, and kill various processes on the target endpoints related to the security agents deployed on the protected machines." Trend Micro added that 52% of kernel-level payloads are found during the defense evasion phase.
According to the blog post, threat actors will continue to embrace kernel drivers to evade detection from endpoint protection platforms and endpoint detection and response technologies, which offer better defenses to users and organizations. "Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer (or even lower levels)," Trend Micro wrote. "This is why we believe that such threats will not disappear from threat actors' toolkits anytime soon."
Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, said the question of why so many kernel-level threats are used for defense evasion is "like asking why banks are robbed."
"That's where the money is," he said. "The lower the level at which the system is compromised, the more power the attacker has to circumvent access control and auditing. The kernel provides a logical place for threat actors to use to evade detection and maintain control of a system."
Alexander Culafi is a writer, journalist and podcaster based in Boston.