In a recent report, Trend Micro researchers uncovered a significant incident involving ALPHV/BlackCat ransomware, occured on February 2023. The attackers behind this operation employed a cunning tactic by utilizing signed malicious Windows kernel drivers, which allowed them to evade detection. This development highlights the ever-evolving nature of cyber threats and the need for robust cybersecurity measures.

Experts have identified a strong correlation between this ransomware attack and a previous malware variant reported in December 2022 by Mandiant, Sophos, and Sentinel One. The coordinated disclosure by these cybersecurity firms shed light on a new version of the malware.

The attackers attempted to deploy a driver called ktgn.sys, which had been previously analyzed by Mandiant. Remarkably, this driver was signed through Microsoft signing portals, adding an additional layer of credibility to its malicious intentions.

image

By utilizing a Windows kernel driver, the attackers gained elevated privileges within the operating system. This allowed them to terminate any process associated with defense products, effectively disabling critical security measures.

It’s worth noting that despite the revocation of the certificate used to sign the ktgn.sys driver, it can still load on 64-bit Windows systems with enforced signing policies. This persistence poses a significant challenge for security professionals.

The kernel driver employed in the attack exposes an IOCTL (Input and Output Control) interface, enabling the user agent tjr.exe to issue commands with kernel privileges. The analysis conducted by Trend Micro revealed that the user agent drops the kernel driver (ktgn.sys) in the user temporary directory, typically located at C:\%User%\AppData\Local\Temp\Ktgn.sys. Subsequently, the driver is installed as “ktgn” with the start value set to “System,” ensuring it runs upon system restart.

image

To evade detection and analysis, the BlackCat ransomware driver is obfuscated using Safengine Protector v2.4.0.0, making static analysis challenging for security researchers. Moreover, the utilization of an updated version of the driver indicates a connection between the ransomware gang and the UNC3944/Scattered Spider groups, who were previously observed using a precursor of the driver, according to Mandiant.

While the driver demonstrates links to these sophisticated threat actors, it is clear that it is still under development and undergoing testing. Its current structure indicates some non-functional components, suggesting ongoing refinement by the attackers.

Indicators of Compromise

SHA
17bd8fda268cbb009508c014b7c0ff9d8284f850
78cd4dfb251b21b53592322570cc32c6678aa468
c2387833f4d2fbb1b54c8f8ec8b5b34f1e8e2d91
91568d7a82cc7677f6b13f11bea5c40cf12d281b
0bec69c1b22603e9a385495fbe94700ac36b28e5
cb25a5125fb353496b59b910263209f273f3552d
994e3f5dd082f5d82f9cc84108a60d359910ba79