BlackCat ransomware exploits signed Windows Kernel Drivers
Trend Micro has disclosed details about a ransomware attack that utilized the ALPHV/BlackCat virus. The attack employed a sophisticated technique involving the use of signed malicious Windows kernel drivers, enabling the attackers to evade detection and execute their malicious code.
The attackers behind the assault made use of an upgraded version of malware that was previously identified by Mandiant, Sophos, and Sentinel One in December 2022. To infiltrate the targeted systems, the attackers attempted to exploit a well-known driver called ktgn.sys, which had been signed using Microsoft signing gateways. This provided them with high-level access to the operating system, allowing them to effectively disable defensive product operations.
Despite having its certificate revoked, the signed ktgn.sys driver continued to run on 64-bit Windows computers. As the driver could execute without meeting any barriers, this posed a major risk to the targeted systems. The kernel driver also had an IOCTL interface, which allowed the malicious tjr.exe user agent to issue instructions with kernel privileges. For security, the tjr.exe user agent ran within a virtual machine and installed the driver, designated “ktgn,” into the user’s temporary directory. The driver was set to run as “System,” assuring that it would be executed upon system restart.
The malicious driver used the Safengine Protector v184.108.40.206 to obfuscate its code, further complicating analysis and detection efforts. This made established methods of analyzing and detecting the driver difficult. According to Mandiant investigations, the usage of an upgraded version of this driver also indicated a link between the ransomware gang and the UNC3944/Scattered Spider organizations, both of which had previously used a precursor of the same driver in their assaults.
Researchers observed, however, that the driver was still in the development and testing phase, with a bad structure and key functionalities that were not yet operational. Despite these limits, the threat a totes are still going ahead get high-privilege access to the Windows operating system and circumvent endpoint protection platforms (EPP) and endpoint detection and response (EDR) systems.
According to the research, because security solutions provide improved layers of protection, attackers typically turn to exploiting the kernel layer or lower levels to assure the effective execution of their malicious code. As a result, rootkits and related attacks are expected to continue to be important components of threat actors’ toolkits in the near future.
The sources for this piece include an article in SecurityAffairs.