A previously unidentified threat actor is currently employing a malicious Windows kernel driver in targeted attacks, focusing on the Middle East region since May 2020. The malware, known as WINTAPIX (WinTapix.sys), has been tentatively attributed to an Iranian threat actor by Fortinet Fortiguard Labs.
According to security researchers Geri Revay and Hossein Jazi, who published a report on the subject, WinTapix.sys functions as a loader with the primary objective of generating and executing the next stage of the attack using shellcode.
Analysis of samples and telemetry data by Fortinet reveals that the campaign primarily targets Saudi Arabia, Jordan, Qatar, and the United Arab Emirates. There is no known identity of the responsible threat actor or group yet.
Utilizing a malicious kernel mode driver, the attacker aims to undermine or disable security mechanisms and gain persistent access to the targeted host.
These drivers operate within the kernel memory, granting them extensive privileges to perform various operations, including modifying critical security mechanisms and running arbitrary code.
Essentially, they provide a covert means to penetrate deeper into the compromised system, maintain persistence, and carry out additional payloads.
A crucial security measure to mitigate the risks posed by malicious drivers is “Driver Signature Enforcement,” which ensures only Microsoft-signed drivers are loadable onto the system. Microsoft also maintains driver block rules to safeguard against known vulnerable drivers.
WinTapix.sys, however, possesses an invalid signature, indicating the threat actor must first load a legitimate but vulnerable driver to initiate the WINTAPIX attack. Once loaded into the kernel, WinTapix.sys injects an embedded shellcode into an appropriate user mode process, which executes an encrypted .NET payload.
Furthermore, WINTAPIX establishes persistence through modifications to the Windows Registry, enabling it to load even when the system boots in Safe Mode.
The .NET malware accompanying WINTAPIX features backdoor and proxy capabilities, allowing the threat actor to execute commands, perform file downloads and uploads, and act as a proxy for data transmission between two endpoints.
The researchers note that Iranian threat actors have a history of exploiting Exchange servers to deploy additional malware, suggesting a potential connection between this driver and Exchange attacks. Additionally, the compilation time of the drivers coincides with periods when Iranian threat actors exploit Exchange server vulnerabilities.
This development emerges as the ALPHV ransomware group (BlackCat or Noberus) has recently utilized a malicious signed driver to evade detection and disable security defences for extended durations.
The driver, “ktgn.sys,” represents an updated version of POORTRY and is signed using a stolen or leaked cross-signing certificate, as highlighted by Trend Micro (A cybersecurity firm).
POORTRY is a Windows kernel driver previously associated with terminating security software. Last year, reports showed that ransomware groups and a threat actor known as UNC3944 (Roasted 0ktapus and Scattered Spider) employed POORTRY.
Trend Micro emphasized that malicious actors seeking high-privilege access to the Windows operating system employ techniques to counter enhanced protection provided by endpoint protection platform (EPP) and endpoint detection and response (EDR) technologies.
These threat actors often possess sufficient financial resources to acquire rootkits from underground sources or purchase code-signing certificates for developing rootkits.
