Sophos, a global leader in innovating and delivering cybersecurity-as-a-service, has revealed that it has found malicious code in multiple drivers signed by legitimate digital certificates. The most recent report, “Signed Driver Malware Moves up the Software Trust Chain,” describes the investigation that began with an attempted ransomware attack in which the attackers used a malicious driver signed with a legitimate Windows Hardware Compatibility Publisher digital certificate from Microsoft. The malicious driver is designed to specifically target processes used by major Endpoint Detection and Response (EDR) software packages and was installed by malware associated with threat actors affiliated with Cuba ransomware, a highly prolific group that has successfully has attacked more than 100 companies. worldwide in the past year. Sophos Rapid Response was able to successfully thwart the attack and the investigation led to extensive collaboration between Sophos and Microsoft to take action and address the threat.
Drivers can perform very privileged operations on systems. For example, kernel-mode drivers can terminate many types of software, including security. Controlling which drivers can be loaded is one way to protect computers from this attack route. Windows requires drivers to carry a cryptographic signature – a “stamp of approval” – before the driver can load.
However, not all digital certificates used to sign drivers are equally trusted. Some digital signing certificates, stolen and leaked to the internet, were later misused to sign malware; still other certificates have been bought and used by unscrupulous PUA software publishers. Sophos’ investigation into a malicious driver used to sabotage endpoint security tools during a ransomware attack revealed that the adversaries had made a concerted effort to gradually move from less common to more widely trusted digital certificates.
“These attackers, most likely members of the Cuba ransomware group, know what they are doing and they are persistent. We found a total of 10 malicious drivers, all variants of the original discovery. These drivers show a concerted effort to move up the chain of trust, with the oldest driver dating back to at least July. The oldest we’ve found so far were signed with certificates from unknown Chinese companies; they then went ahead and managed to sign the driver with a valid, leaked, revoked NVIDIA certificate. Now they use a certificate from Microsoft, one of the most trusted authorities in the Windows ecosystem. If you think of it as corporate security, the attackers have essentially been given valid corporate IDs to go into the building without question and do whatever they want,” said Christopher Budd, senior manager, Threat Research, Sophos.
A closer look at the executable files used in the attempted ransomware attack revealed that the malicious signed driver was downloaded to the targeted system using a variant of the BURNTCIGAR loader, a known piece of malware affiliated with the Cuban ransomware group. Once the loader downloads the driver onto the system, the latter waits for one of the 186 different program filenames commonly used by major endpoint security and EDR software packages to launch, then attempts to terminate those processes. If successful, the attackers can deploy the ransomware.
“In 2022, we’ve seen ransomware attackers increasingly try to evade EDR products from many, if not most, major vendors. The most common technique is known as ‘bring your own driver’, which BlackByte has recently used, where attackers exploit an existing vulnerability in a legitimate driver. It is much more difficult to create a malicious driver from scratch and have it signed by a legitimate authority. However, if they succeed, it’s incredibly effective because the driver can run essentially any process without question. In the case of this particular driver, virtually all EDR software is vulnerable; Fortunately, Sophos’ additional anti-tamper protections were able to stop the ransomware attack. The security community should be aware of this threat so that they can take additional security measures where necessary, such as eyes on glass; moreover, we can see other attackers trying to mimic this type of attack,” Budd said.
When Sophos discovered this driver, it immediately alerted Microsoft and the two companies worked together to resolve the issue. Microsoft released information today in their security advisory with more information as part of Patch Tuesday.