Posted on May 22, 2023 at 5:47 PM

Report Shows Blackcat Hackers Are Using Windows Kernel Drivers To Avoid Detection

The ALPHV ransomware group that is also known as BlackCat, was detected using signed malicious Windows kernel drivers. These drivers were used by the ransomware group to avoid detection by security software when they conducted their attacks.

ALPHV ransomware group uses malicious Windows kernel drivers

The kernel driver used to conduct these attacks was detected by Trend Micro. The driver is an improved version of malware known as “POORTRY.” Towards the end of last year, Microsoft, Mandiant, SentinelOne, and Sophos said that they had detected the POORTRY malware.

The POORTRY malware operates using a signed Windows kernel driver. However, the driver has been signed using stolen keys that belong to legitimate accounts within the Hardware Developer Program on Microsoft Windows.

The malicious driver in question was also used by a hacking group known as UNC3944. The hacking group is also known as oktapus or Scattered Spider, and it used the driver to avoid detection by security software installed on a Windows device.

Security software is usually protected from manipulation. However, the hackers were able to terminate it because the Windows kernel drivers operate using the highest levels of privilege within the operating system, and they can shut down nearly all processes.

The TrendMicro report said that the ransomware group also tried using the POORTRY driver signed by Microsoft, but it was detected by security systems due to its code-signing keys being revoked. The hackers also used an update of the POORTRY kernel driver signed using a fraudulently acquired cross-signing certificate.

The malicious Windows kernel driver being used by this ransomware group is allowing it to avoid detection. It has also increased their capability as they can stop software security processes.

Hackers are exploiting a malicious Windows kernel driver

The signed Windows kernel driver detected by TrendMicro earlier this year is “ktgn.sys.” the driver is installed within the filesystem of the target device and then executed using a user mode program known as “tjr.exe.”

According to analysts, the authentication signature for ktgn.sys has been revoked, but the driver will still continue operating on 64-bit Windows systems that come with a higher level of signing policies.

The malicious kernel driver will also expose an IOCTL interface where the user mode client named tjr.exe will be used to issue commands that will be executed using the privileges available on the Windows kernel driver.

TrendMicro further said that “From our analysis of what occurs when a user interfaces with this driver, we observed that it only uses one of the exposed Device Input and Output Control (IOCTL) code – Kill Process that is used to get rid of a security agent processes that have been installed on a system.

TrendMicro has also said that the two commands used for the Process/Thread Notification callbacks are not authentic, which shows that the driver is still under development or it is in the testing phase. It is upon the system administrators to use indicators to detect any sign of compromise.