Malware

BlackCat Ransomware affiliate uses signed kernel driver to evade detection

Experts spotted the ALPHV/BlackCat ransomware group using signed malicious Windows kernel drivers to evade detection.

Trend Micro researchers shared details about ALPHV/BlackCat ransomware incident that took place on February 2023. A BlackCat affiliate employed signed malicious Windows kernel drivers to evade detection.

Experts believe the driver is a new version of the malware reported in December 2022 by MandiantSophos and Sentinel One, via a coordinated disclosure.

The attackers attempted to deploy the driver (ktgn.sys) previously analyzed by Mandiant, which is signed through Microsoft signing portals.

The use of a Windows kernel driver, which runs with the highest privileges in the OS, allows attackers to kill any process associated with defense products.

The researchers pointed out that even if the certificate that was used to sign the ktgn.sys driver has been revoked, the driver will still load on 64-bit Windows systems with enforced signing policies.

The kernel driver employed in the attack exposes an IOCTL interface that allows the user Agent tjr.exe to issue commands that the driver will execute with kernel privileges.

“The User Agent tjr.exe, which is protected via a virtual machine, drops the kernel driver to the user temporary directory C:\%User%\AppData\Local\Temp\Ktgn.sys. It then installs the dropped driver with the name ktgn and the start value = System (to start when the system restarts).” reads the analysis from Trend Micro. “From our analysis of what occurs when a user interfaces with this driver, we observed that it only uses one of the exposed Device Input and Output Control (IOCTL) code — Kill Process, which is used to kill security agent processes installed on the system.”

This client supports ten different commands that can be sent to the kernel driver through the IOCTL interface:

IOCTL CodeDescription
222088hActivate Driver
22208ChDeactivate Driver
222094hKill Process
222184hDelete File
222188hForce Delete File
22218ChCopy File
222190hForce Copy File
2221C8hRegister Process/Thread Object notification
2221C4hUnregister Process/Thread Object notification
222264hReboot the system

The driver is obfuscated using Safengine Protector v2.4.0.0 tool to prevent static analysis.

The use of an updated version of the driver also demonstrates a link between the ransomware gang and the UNC3944/Scattered Spider groups that was spotted using a predecessor of the driver by Mandiant.

The experts noticed that the driver is still under development and testing since it is not structured well and some of its functions currently are not working.

“Malicious actors that are actively seeking high-privilege access to the Windows operating system use techniques that attempt to combat the increased protection on users and processes via endpoint protection platform (EPP) and endpoint detection and response (EDR) technologies. Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer (or even lower levels). This is why we believe that such threats will not disappear from threat actors’ toolkits anytime soon.” concludes the report. “Malicious actors will continue to use rootkits to hide malicious code from security tools, impair defenses, and fly under the radar for long periods.”

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Blackcat ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

PoC exploit for critical RCE flaw in Fortra FileCatalyst transfer tool released

Fortra addressed a critical remote code execution vulnerability impacting its FileCatalyst file transfer product. Fortra has released…

9 hours ago

Fujitsu suffered a malware attack and probably a data breach

Technology giant Fujitsu announced it had suffered a cyberattack that may have resulted in the…

11 hours ago

Remove WordPress miniOrange plugins, a critical flaw can allow site takeover

A critical vulnerability in WordPress miniOrange's Malware Scanner and Web Application Firewall plugins can allow…

17 hours ago

The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats

Resecurity reported about the increasing wave of cyber incidents targeting the aerospace and aviation sectors.…

19 hours ago

Email accounts of the International Monetary Fund compromised

Threat actors compromised at least 11 International Monetary Fund (IMF) email accounts earlier this year,…

22 hours ago

Threat actors leaked 70,000,000+ records allegedly stolen from AT&T

Researchers at vx-underground first noticed that more than 70,000,000 records from AT&T were leaked on…

2 days ago

This website uses cookies.