Hackers Using Microsoft-signed Malicious Windows Drivers in Ransomware Attacks

Following a series of cyberattacks, including ransomware attacks, Microsoft recently revoked several Microsoft hardware developer accounts.

In a coordinated disclosure, the news came from the following entities:-

• Microsoft
• Mandiant
• Sophos
• SentinelOne

Authenticode signatures from Microsoft’s Windows Hardware Developer Program have been used in order to verify the trustworthiness of malicious kernel-mode hardware drivers that are used by threat actors.

Abusing Microsoft-signed Malicious Windows Drivers

In Windows, kernel-mode hardware drivers gain the highest level of privilege when they are loaded since they are loaded in kernel mode. It is possible that these privileges could grant the driver the ability to perform a variety of malicious activities that would otherwise not be permissible.

In order to carry out these actions, the following tasks are performed:-

• Disable security software
• Protected files are deleted
• Act as rootkits to hide malicious processes

The Windows Hardware Developer Program is a program developed by Microsoft that entails the signing of hardware drivers operating at the kernel level. The kernel-mode hardware drivers are must required in Windows 10.

As developers need to go through several verification stages to make the code look legit. Here below we have mentioned those stages:-

• Register for the Hardware Developer program
• Identify or purchase an Extended Validation (EV) certificate
• Download and install the Windows Driver Kit (WDK)
• Create the CAB file that will be submitted for approval. The CAB file includes the driver itself, driver INF, symbol file, and catalog files.
• Sign the CAB file with the EV certificate
• Submit the EV-signed CAB via the hardware dashboard
• Microsoft will sign the driver
• Download the signed driver from the hardware dashboard
• Validate and test the signed driver

Moreover, through this program, code signed by Microsoft is automatically trusted by many security platforms. Therefore, there is a high value to being able to sign a kernel-mode driver by Microsoft so that it can be used by a malicious campaign.

To date, Mandiant has continuously observed threat actors assuming the role of code-signing certificates through the use of compromised or stolen certificates.

Security Software Termination Toolkit

UNC3944 has been identified by Mandiant as utilizing malware that has been signed through the authorization signing process. Since at least May 2022, UNC3944 has been an active group of threat actors that are motivated by financial gain.

As early as August 2022, UNC3944 has already been observed to have deployed both of these elements:-

• STONESTOP
• POORTRY

Ransomware and SIM Swapping is Linked

Several different threat actors have been using the toolkit that the three companies have seen. In an incident response engagement, Sophos’ Rapid Response team ended an attack before hackers were able to distribute a final payload to computer systems.

A variant of this malware was previously used in the Cuba ransomware operation, according to Sophos. The SentinelOne security experts have also noticed attacks against the following entities using this Microsoft-signed toolkit:- 

• Telecommunication
• BPO
• MSSP
• Financial services businesses

The Hive Ransomware operation used it in one particular case in which it was used against a medical firm as part of its attack. Moreover, there are many legitimate binaries that use this Microsoft certificate as part of the attestation program.

A new security update was released by Microsoft recently to revoke certificates used by malicious files. In addition, it suspends the accounts as well that were used to present the signed drivers.

The company has not yet revealed how malicious drivers managed to circumvent the review process in the first place.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace