The BlackCat ransomware was spotted in February, using signed malicious Windows kernel drivers to avoid detection by security tools. The driver used is an improved version of the POORTRY malware that was discovered by Mandiant, Sophos, SentinelOne, and Microsoft in ransomware attacks last year.

POORTRY malware is a Windows kernel driver signed via stolen keys of genuine accounts in the Windows Hardware Developer Program. Previously, the UNC3944 hacker group had used this driver to terminate security software on targeted devices.

Hackers improvise POORTRY

While security software is usually protected from being terminated, the privileges enjoyed by Windows kernel drivers are of the highest level; they can be used to terminate any process.
  • When attackers attempted to use POORTRY, they discovered that the detection rate by security software for this malware was very high due to the publicity it gained after the code-signing keys were revoked.
  • Hence they modified the POORTRY kernel driver. This updated driver used by the BlackCat operation allowed them to elevate privileges on compromised machines and stop security agents.

Modus operandi

The signed driver, ktgn[.]sys, detected by Trend Micro is delivered onto the victim's filesystem at the %Temp% folder and loaded by a user mode program called tjr[.]exe.
  • Although the digital signature of ktgn[.]sys has been revoked, the driver still loads on 64-bit Windows systems by employing the enforced signing policies.
  • If a user interacts with this driver, it only uses one of the exposed Device Input and Output Control (IOCTL) codes— Kill Process—used to kill security software processes on the system.
  • According to Trend Micro, two commands used for Process/Thread Notification callbacks are non-functional, suggesting that the driver is under development or in a testing phase right now.

Recommendations

System administrators are advised to follow the IOCs shared by Trend Micro. Add the malicious drivers used by the ransomware groups to the Windows driver blocklist. Furthermore, Windows admins should ensure that 'Driver Signature Enforcement' is enabled.
Cyware Publisher

Publisher

Cyware