Organizations in Saudi Arabia, Qatar, Jordan, and the United Arab Emirates have been targeted with attacks involving the malicious Windows kernel driver
dubbed "WINTAPIX" since at least May 2020, The Hacker News
Attackers behind the campaign continue to be unknown but the malware is likely connected to an Iranian threat actor, according to a report from Fortinet Fortiguard Labs. Researchers said that WinTapix.sys functions as a loader that would facilitate embedded shellcode injection to enable .NET payload execution.
Such .NET malware has been noted to feature proxy features on top of a backdoor to allow command execution, file downloads and uploads, and data sending across two endpoints, the report said.
"Since Iranian threat actors are known to exploit Exchange servers to deploy additional malware, it is also possible that this driver has been employed alongside Exchange attacks. To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities," said researchers.