Sophos has discovered malicious code in multiple drivers signed by legitimate digital certificates.
In our latest report, “Signed Driver Malware Climbs the Software Trust Chain,” attackers began a ransomware attack attempt using malicious drivers signed with Microsoft’s legitimate Windows Hardware Compatibility Publisher digital certificate. Details about the survey.
The malicious driver was designed to specifically target processes used by major endpoint detection and response (EDR) software packages and has been linked to threat actors associated with the Cuban ransomware, according to researchers. was installed by known malware. Targeted over 100 of his companies worldwide in the past year.
The report highlights the success of Sophos Rapid Response in thwarting the attack, and the investigation initiated a comprehensive collaboration between Sophos and Microsoft to take action and address the threat. is ready.
Drivers can perform highly privileged operations on the system. For example, kernel-mode drivers can terminate many types of software, including security, among others.
Controlling which drivers can be loaded is one way to protect computers from this attack vector, Sophos said. Windows requires a driver to carry a cryptographic signature, a stamp of approval, before allowing it to load. However, not all digital certificates used to sign drivers are equally trusted.
Some digitally signed certificates have been stolen, leaked to the internet, and later abused to sign malware. Still other certificates have been purchased and used by malicious PUA software publishers.
A Sophos study of malicious drivers used to thwart endpoint security tools during ransomware attacks found that attackers were phasing from less widely trusted to more widely trusted digital certificates. It became clear that they were working together to transition to .
Christopher Budd, senior manager of threat research at Sophos, said: In total he found 10 malicious drivers, all of which are variants of the initial discovery. These drivers show a concerted effort to move up the chain of trust, with the oldest one dating at least he to July.
“The oldest one found so far was signed by a certificate from an unknown Chinese company. They then moved on and decided to sign drivers with a valid, leaked and revoked NVIDIA certificate. Succeeded.
“Currently, they are using certificates from Microsoft, one of the most trusted authorities in the Windows ecosystem. Think of it like corporate security. Take it, break into the building without question, and do whatever they want.”
A closer look at the executables utilized in the attempted ransomware attacks revealed that a malicious signed driver was targeted using a variant of the loader BURNTCIGAR, a known malware belonging to the Cuban ransomware group. I found that it was downloaded to my system.
Once the loader downloads the driver to the system, the latter waits for one of 186 different program filenames commonly used in major endpoint security and EDR software packages to start before killing those processes. trying to finish. If successful, attackers can deploy ransomware.
Budd said: The most common technique, known recently by BlackByte as bringing your own driver, involves attackers exploiting existing vulnerabilities in legitimate drivers.
“It is much more difficult to write a malicious driver from scratch and get it signed by a legitimate authority. Virtually all EDR software is vulnerable for this particular driver, but fortunately the additional anti-tampering features from Sophos were able to stop the ransomware attack.
“The security community needs to be made aware of this threat so that additional security measures such as looking through the glass can be implemented if necessary. Additionally, other attackers should try to emulate this type of attack. You may see that
Upon discovering this driver, Sophos immediately alerted Microsoft and the two companies worked together to resolve the issue. Microsoft has published information in a Security Advisory and will provide more information as part of Patch Tuesday.