Malicious cyber actors have been found to be using kernel-level drivers in two separate campaigns, as detailed in reports by cybersecurity firms Fortinet and Trend Micro. Kernel-level threats are considered some of the most severe, as a compromise at that level provides complete access to the threat actor, which can give them complete control over the system.
Fortinet’s research focussed on the WinTapix driver, which was primarily used in targeted attacks against organisations in the Middle East. In a blog post, Fortinet researchers Geri Revay and Hossein Jazi stated that they had low confidence an Iranian threat actor was conducting the attacks. While the driver has primarily been detected in Saudi Arabia, it has also been identified in Jordan, Qatar, and the United Arab Emirates, which are classic targets of Iranian threat actors. The researchers further speculated that Microsoft Exchange servers may have been involved in the campaign, as Iranian threat actors frequently use these servers to deploy additional malware.
Trend Micro’s research, on the other hand, detailed a ransomware attack by the BlackCat group. The post’s authors, including Trend Micro researchers Sherif Magdy and Mohamed Fahmy, and incident response analysts Bahaa Yamany and Mahmoud Zohdy, stated that the BlackCat attack was consistent with the use of malicious kernel-level drivers, which were previously disclosed by cybersecurity firms Sophos, SentinelOne, and Mandiant in December 2020. These firms had reported the drivers being signed through several Microsoft hardware developer accounts.
The BlackCat group attempted to deploy an old driver, which had already been previously disclosed by Mandiant and was signed through Microsoft. The attackers then deployed another kernel driver signed by a stolen or leaked cross-signing certificate, which was intended to control, pause, and kill various processes related to the security agents deployed on the targeted machines, according to Trend Micro. The company added that 52% of kernel-level payloads are found during the defense evasion phase.
Fortinet and Trend Micro both stated that attackers leverage kernel-level drivers, as they can evade detection from endpoint protection platforms and endpoint detection and response technologies, which offer better defenses to users and organizations. They also noted that attackers tend to opt for the easiest option in the face of multiple layers of protection, and this is why threats using kernel-level drivers will remain in their toolkits for some time to come.
Neither Fortinet nor Trend Micro had responded to requests for comment from TechTarget Editorial at the time of publication. These threats come as cybersecurity threats continue to evolve and become more complex, highlighting the need for organizations to remain vigilant and develop proactive security measures.