The BlackCat ransomware group has been observed using a malicious Windows kernel driver, signed by a stolen or leaked cross-signing certificate, in order to hide from security tools and fly under the radar.
The group’s use of malicious drivers, observed in a February incident, overlaps with activity identified late last year by researchers where a number of threat actors used kernel drivers signed through several Microsoft hardware developer accounts. The malicious driver toolkits used in these earlier attacks included a functionality for wiping out EDR and anti-malware processes running on targeted devices.
“The February 2023 ransomware incident we observed proves that ransomware operators and their affiliates have a high level of interest in gaining privileged-level access for the ransomware payloads they use in their attacks,” said researchers with Trend Micro in a Monday analysis. “They normally use ransomware families that incorporate low-level components to avoid detection from security products once the final payloads are dropped.”
In the earlier activity publicized by researchers in December, threat actors affiliated with the Hive and Cuba ransomware strains, as well as the financially motivated threat actor UNC3944, deployed malicious Windows drivers post-exploitation that had been signed by a legitimate Microsoft developer certificate. In response to the discovery of this activity, Microsoft issued a Windows update in December that revoked the certificate used to sign the driver and also implemented blocking rules to prevent the malicious signed drivers from running.
According to Trend Micro researchers in their Monday analysis, the BlackCat actors first tried to deploy an older Microsoft-signed driver (which was called comkj.sys and signed by the WSQL portal); however, because it had previously been detected, it was blocked. The actors then deployed a number of other unknown cross-signed kernel drivers that researchers believe are variants of this previous driver, before finally dropping the ransomware payload on the victim system.
"These malicious actors also tend to possess enough financial resources to either purchase rootkits from underground sources or to buy code-signing certificates to build a rootkit."
“We believe that this new kernel driver is an updated version that inherited the main functionality from the samples disclosed in previous research,” said researchers. “The driver was used with a separate user client executable in an attempt to control, pause, and kill various processes on the target endpoints related to the security agents deployed on the protected machines.”
There are several different ways that ransomware actors can attempt to comply with Microsoft’s code-signing requirements. Many times, actors use an existing code-signing certificate that has been leaked, stolen or bought from an underground marketplace. They can also obtain a new certificate, either through Microsoft’s approval process by impersonating a legitimate entity or by abusing Microsoft’s portal for issuing the signed kernel modules.
BlackCat, for its part, used kernel drivers signed via a stolen or leaked certificate. One of the drivers used, called ktgn.sys, was signed using a valid digital signature from “BopSoft” and “YI ZENG.” Researchers said “BopSoft” has previously been used by other threat actors for code signing, and both signers are part of a larger malicious underground signing service. The digital signatures have since been revoked by their issuers, Thawte and VeriSign, said researchers.
Using these valid code signatures, threat actors can compile kernel modules that are used for specific tasks like defense evasion before dropping the final payload. For BlackCat, one of the top most-active ransomware threat actors last month, this tactic fits in with the other defense evasion techniques that it has used, such as running in the diagnostic Safe Mode to fly under the radar.
Overall, researchers said that malicious kernel drivers will continue to be used by sophisticated groups that have the skills and resources needed to develop such tools, such as reverse engineering low-level system components. This week, for instance, Fortinet researchers warned of a new kernel driver called Wintapix that was being used by Iranian threat actors in targeted attacks against the Middle East.
“These malicious actors also tend to possess enough financial resources to either purchase rootkits from underground sources or to buy code-signing certificates to build a rootkit,” said Trend Micro researchers. “This means that the main danger involving these kinds of rootkits lie in their ability to hide complex targeted attacks that will be used early in the kill chain, allowing an attacker to impair defenses before the actual payloads are launched in victim environments.”