BlackCat exploits Windows Kernel Drivers to avoid detection
In a recent report, Trend Micro researchers uncovered a significant incident involving ALPHV/BlackCat ransomware, occured on February 2023. The attackers behind this operation employed a cunning tactic by utilizing signed malicious Windows kernel drivers, which allowed them to evade detection. This development highlights the ever-evolving nature of cyber threats and the need for robust cybersecurity measures.
Experts have identified a strong correlation between this ransomware attack and a previous malware variant reported in December 2022 by Mandiant, Sophos, and Sentinel One. The coordinated disclosure by these cybersecurity firms shed light on a new version of the malware.
The attackers attempted to deploy a driver called ktgn.sys, which had been previously analyzed by Mandiant. Remarkably, this driver was signed through Microsoft signing portals, adding an additional layer of credibility to its malicious intentions.
By utilizing a Windows kernel driver, the attackers gained elevated privileges within the operating system. This allowed them to terminate any process associated with defense products, effectively disabling critical security measures.
It’s worth noting that despite the revocation of the certificate used to sign the ktgn.sys driver, it can still load on 64-bit Windows systems with enforced signing policies. This persistence poses a significant challenge for security professionals.
The kernel driver employed in the attack exposes an IOCTL (Input and Output Control) interface, enabling the user agent tjr.exe to issue commands with kernel privileges. The analysis conducted by Trend Micro revealed that the user agent drops the kernel driver (ktgn.sys) in the user temporary directory, typically located at
C:\%User%\AppData\Local\Temp\Ktgn.sys. Subsequently, the driver is installed as “ktgn” with the start value set to “System,” ensuring it runs upon system restart.
To evade detection and analysis, the BlackCat ransomware driver is obfuscated using Safengine Protector v188.8.131.52, making static analysis challenging for security researchers. Moreover, the utilization of an updated version of the driver indicates a connection between the ransomware gang and the UNC3944/Scattered Spider groups, who were previously observed using a precursor of the driver, according to Mandiant.
While the driver demonstrates links to these sophisticated threat actors, it is clear that it is still under development and undergoing testing. Its current structure indicates some non-functional components, suggesting ongoing refinement by the attackers.
Indicators of Compromise