Ransomware hides in drivers with valid certificates

Sophos X-Ops has found malicious code in several drivers signed with legitimate digital certificates. The new report Signed driver malware moves up the software trust chain describes the investigation, which began with an attempted ransomware attack. The attackers used a malicious driver signed with a legitimate Windows Hardware Compatibility Publisher digital certificate from Microsoft. The malicious driver specifically targets processes used by key endpoint detection and response (EDR) software packages. It was installed by malware associated with threat actors surrounding the Cuba Ransomware Goup - a highly prolific group that successfully attacked more than 100 businesses worldwide last year. Sophos Rapid Response was able to successfully thwart the attack. This investigation triggered extensive collaboration between Sophos and Microsoft to take action and eliminate the threat.

Drivers can perform highly privileged operations on systems. For example, kernel-mode drivers can, among other things, terminate many types of software, including security software. Controlling which drivers can be loaded is one way to protect computers from this type of attack. Windows requires drivers to have a cryptographic signature - an "approval stamp" - before the driver can be loaded. However, not all digital certificates used to sign drivers are equally trustworthy. Some stolen digital signing certificates leaked onto the internet were later misused to sign malware; other certificates were purchased and used by unscrupulous PUA software vendors. Sophos's investigation of a malicious driver used to sabotage endpoint security tools during a ransomware attack found that attackers made a concerted effort to move from less trusted to increasingly trusted digital certificates.

„These attackers, most likely members of the Cuba ransomware group, know what they are doing - and they are persistent," said Christopher Budd, senior manager, threat research at Sophos. "We found a total of ten malicious drivers, all of which are variants of the original discovery. These drivers show a concerted effort to move up in trustworthiness, with the oldest driver dating back to at least July. The oldest drivers we have found so far were signed with certificates from unknown Chinese companies. Then they managed to sign the driver with a valid, leaked and revoked NVIDIA certificate. Now they are using a legitimate Windows Hardware Compatibility Publisher Digital certificate from Microsoft, one of the most trusted entities in the Windows ecosystem. If you look at it from a corporate security perspective, the attackers have been given valid corporate credentials to enter the building and do whatever they want without question," Christopher Budd continued. A closer examination of the executables used in the attempted ransomware attack revealed that the malicious signed driver was downloaded to the target system using a variant of the loader BURNTCIGAR, a known malware belonging to the Cuba ransomware group. Once the loader has downloaded the driver onto the system, it waits for one of 186 different program filenames commonly used by key endpoint security and EDR software packages to be launched, and then attempts to terminate these processes. If successful, the attackers can deploy the ransomware.

„In 2022, we have observed ransomware attackers increasingly attempting to circumvent the EDR products of many, if not most, major vendors," Christopher Budd continued. "The most common technique is known as 'bring your own driver', which BlackByte recently used. This involves attackers exploiting an existing vulnerability in a legitimate driver. It is far more difficult to create a malicious driver from scratch and have it signed by a legitimate authority. However, if successful, it is incredibly effective as the driver can run arbitrary processes without being compromised." In the case of this particular driver, virtually any EDR software is vulnerable. Fortunately, Sophos's additional tamper protection measures were able to stop the ransomware attack. The security community needs to be aware of this threat so that they can implement additional security measures. It is likely that more attackers will mimic this model." Sophos immediately worked with Microsoft to fix the problem after discovering the driver. Microsoft has published further information in its security advisory and released it as part of Patch Tuesday.