A new kernel driver was discovered from a February 2023 BlackCat ransomware incident that leverages a separate user client executable as a way to control, pause and kill various processes on target endpoints of security agents deployed on protected computers.
In a May 22 blog post, Trend Micro researchers said they believe that the new kernel driver was an updated version that inherited the main functionality from samples disclosed in previous research in December 2022 by Mandiant, Sophos, and Sentinel One.
The three companies published a coordinated disclosure that malicious kernel drivers were being signed through several Microsoft hardware developer accounts. The joint researchers said these profiles had been used in a number of cyberattacks that included ransomware incidents. Microsoft subsequently revoked several Microsoft hardware developer accounts that were abused in these attacks.
Trend Micro’s researchers explained that malicious actors use different approaches to sign their malicious kernel drivers. In this case, the attackers tried to deploy the old driver disclosed by Mandiant, but because this driver had already been known and detected, the threat actors deployed another kernel driver signed by a stolen or leaked cross-signing certificate. The kernel driver typically gets used during the evasion phase, say the Trend researchers.
The recent activity of the BlackCat ransomware group signals a disturbing escalation in the cyber threat landscape, said Craig Jones, vice president of security operations at Ontinue. Jones said by exploiting signed kernel drivers, this raises the stakes in an ongoing high-stakes game of "digital cat and mouse" between cyber criminals and those tasked with thwarting their attempts.
“One of the intriguing aspects of this incident is the fact that the ransomware operators are using malicious kernel drivers signed through Microsoft's portals or using stolen certificates,” said Jones. “This offers them privileged-level access to the systems they attack and lets them bypass security protocols. It also indicates a high level of sophistication and a solid understanding of Windows system operations. They are essentially used to manipulate and control processes on the target systems, which includes disabling security measures, deleting files, and even forcing a system restart.”
Murali Palanisamy, chief solutions officer at AppViewX, said this situation underscores the critical importance of securing code-signing certificates and implementing robust processes to secure and control the code signed using these certificates. As noted in the research, Palanisamy said the methods they used highlight a new capability by these threat actors using a signed kernel driver for evasion. Companies need to leverage security tools and best practices such as central secure key and distributed code signing service with processes and controls in place to protect and validate the signed code.
“Manual processes or distributing the code-signing keys and certificates to different parties increases the potential for threat actors to exploit the keys," said Palanisamy. “Any compromise by one company can potentially affect any or all of its customers, further underscoring the need to focus on certificates and keys. And this issue further gets compounded by Google’s proposed reduction from 13 months to 90 days validity for public TLS certificates.”
Callie Guenther, cyber threat research senior manager at Critical Start, said this new research offers valuable insights into the evolving techniques used by ransomware operators and emphasizes the importance of collaboration, monitoring, and proactive security measures to mitigate the risks associated with malicious kernel drivers and defense evasion techniques.
Guenther said Microsoft's response to the reported abuse of its hardware developer accounts by revoking the compromised accounts was a crucial step to prevent further misuse, but does not address the root issue by detecting the behavior sequences that led to the abuse.
“This vendor action is typical and expected, but demonstrates the need for proactive measures to address security vulnerabilities in the signing process," said Guenther. "Also, the observations and findings described in the report are not exclusive to the BlackCat ransomware group. The techniques and trends discussed, such as the use of signed kernel drivers, abuse of signing portals, and the purchase or theft of certificates, can be employed by various threat actors across the cybersecurity landscape."