Sophos experts have discovered 100 malicious drivers signed by Microsoft Windows Hardware Compatibility Publisher (WHCP). Most are so-called "EDR killers" specifically designed to attack and terminate various EDR/AV software on victims' systems.
Sophos X-Ops has detected 133 malicious drivers signed with legitimate digital certificates; 100 of them were signed by the Microsoft Windows Hardware Compatibility Publisher (WHCP). WHCP-signed drivers are inherently trusted by every Windows system, allowing attackers to install them without raising an alert and then carry out malicious activities with virtually no hindrance.
Drivers paralyze EDR and AV software
🔎 The WHCP certificates used were officially signed in early 2022 (Image: Sophos).
Of the drivers found, 81 were so-called "EDR killers" specifically designed to attack and terminate various EDR/AV software on victims' systems. These drivers are similar to those previously discovered by Sophos X-Ops in December 2022. The remaining drivers - 32 of which were signed by WHCP - were rootkits. Many of these programs are designed to secretly monitor sensitive data sent over the Internet. X-Ops immediately reported the malicious drivers to Microsoft upon discovery and the issues were fixed with the latest Patch Tuesday.
Full details of the investigation are available in the X—Ops blog article. This post is a follow-up to a December 2022 post in which Sophos, Mandiant, and SentinelOne reported on Microsoft signing multiple drivers. These drivers specifically targeted a wide range of AV/EDR software.
Worrying increase in activity
"Since October last year, we have observed a worrying increase in activity by criminals exploiting maliciously signed drivers to carry out various cyber attacks, including ransomware. At the time, we assumed that attackers would continue to exploit this attack vector, which has now proven to be the case. Since drivers often communicate with the 'core' of the operating system and are thus loaded before security software, they can be particularly effective in disabling security measures if misused - especially if they are signed by a trusted authority.
Many of the malicious drivers we detected were specifically designed to attack and 'turn off' EDR products, leaving affected systems vulnerable to a range of malicious activities. It is difficult to obtain a signature for a malicious driver, so this technique is mainly used by advanced threat actors in targeted attacks. Furthermore, these particular drivers are not vendor specific, they target a wide range of EDR software. For this reason, all IT security teams have to deal with the topic and implement additional protective measures if necessary. It's important for organizations to implement the patches provided by Microsoft on Patch Tuesday,” said Christopher Budd, director of threat research at Sophos X-Ops.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.