New WinTapix.sys Malware Involved in Multi-Stage Attacks in the Middle East

May 23, 2023Ravie LakshmananEndpoint/Malware Security

An unknown threat actor has been observed utilizing a malicious Windows kernel driver in attacks possibly targeting the Middle East since at least May 2020.

Fortinet Fortiguard Labs, which dubbed the artifact WINTAPIX (WinTapix.sys), attributed low-trust malware to Iranian threat actors.

“WinTapix.sys is basically a loader,” security researchers Geri Revay and Hossein Jazi said in a report published on Monday. “As such, the main goal is to generate and execute the next stage of the attack. This is done using shell code.”

Samples and telemetry data analyzed by Fortinet show that the main focus of the campaign will be on Saudi Arabia, Jordan, Qatar and the United Arab Emirates. The activity has not been linked to any known threat actors or groups.

By using malicious intent kernel mode driver, the idea is to subvert or disable security mechanisms and gain root access to the targeted host.

Such a driver walks inside core memory and therefore can perform any operations, incl change critical security mechanisms And running arbitrary code with the highest privileges.

In other words, it offers a stealth way to infiltrate deeper into the targeted system, maintain persistence, and run additional payload or commands as part of a threat actor’s multi-stage attack.

The main security measure to mitigate against malicious drivers is Driver Signature Enforcement, which ensures that only drivers signed by Microsoft can be loaded on the system. The tech giant also maintained driver block rule to protect against known vulnerable drivers.

WinTapix.sys, on the other hand, comes with an invalid signature, indicating that a threat actor must first load a valid but vulnerable driver in order to launch WINTAPIX.

But once loaded in the kernel, WinTapix.sys is configured to inject the embedded shellcode into the appropriate user-mode process which, in turn, executes the encrypted .NET payload.

WINTAPIX, in addition to embedding shell code created using open source Donut projectestablishes persistence via modification of the Windows Registry allowing it to be loaded even when the machine is booted safe mode.

For its part, .NET malware is equipped with backdoor and proxy features to execute commands, perform file downloads and uploads, and function as a proxy to pass data between two communication endpoints.

“Since Iranian threat actors are known to exploit Exchange servers to deploy additional malware, it is also possible that this driver has been used in conjunction with Exchange attacks,” the researchers said.

“Until then, the compile times of the drivers are also aligned with the times when Iranian threat actors exploit Exchange server vulnerabilities.”

The development comes as the ALPHV (aka BlackCat or Noberus) ransomware group has been observed taking advantage of malicious signed drivers to undermine security defenses and evade detection for a long time.

The driver in question, ktgn.sys, is an updated version of POORTRY signed using a stolen or leaked cross-signing certificate, cybersecurity firm Trend Micro said in a report.

POORTRY is the name given to a Windows kernel driver that comes with the ability to stop security software. Late last year, it was revealed that it was being used by a gang of ransomware and threat actors known as UNC3944 (aka Roasted 0ktapus and Scattered Spider).

“Negative actors that actively seek high-privilege access to Windows operating systems employ techniques that seek to combat enhanced protection to users and processes through endpoint protection (EPP) platforms and endpoint detection and response (EDR) technologies,” said Trend Micro.

“These bad actors are also likely to have sufficient financial resources to purchase rootkits from underground sources or purchase code signing certificates to build rootkits.”