Sophos thwarts ransomware attacks with a rare, malicious driver, but signed with a valid Microsoft digital certificate. The driver targets Endpoint Detection and Response (EDR) processes. The attack is linked to the Cuba Ransomware Group.
Sophos found malicious code in several drivers signed with legitimate digital certificates. A new report, Signed Driver Malware Moves up the Software Trust Chain, details the investigation that began with an attempted ransomware attack. The attackers used a malicious driver that was signed with a legitimate Windows Hardware Compatibility Publisher digital certificate from Microsoft.
Malicious drivers with valid Microsoft certificates
The malicious driver specifically targets processes used by key Endpoint Detection and Response (EDR) software packages. It was installed by malware associated with threat actors associated with the Cuba Ransomware Group - a prolific group that has successfully attacked more than 100 companies worldwide over the past year. Sophos Rapid Response successfully thwarted the attack. This investigation triggered extensive collaboration between Sophos and Microsoft to take action and eliminate the threat.
Stolen certificate issue
Drivers can perform highly privileged operations on systems. Among other things, kernel-mode drivers can terminate many types of software, including security software. Controlling which drivers can be loaded is one way to protect computers from this type of attack. Windows requires drivers to carry a cryptographic signature - an "approval stamp" - before the driver can be loaded.
However, not all digital certificates used to sign drivers are equally trusted. Some stolen and leaked digital signing certificates were later used to sign malware; other certificates were purchased and used by unscrupulous PUA software makers. Sophos' investigation into a malicious driver used to sabotage endpoint security tools during a ransomware attack found that the attackers used a concerted effort to move from less-trusted to more-trusted digital certificates.
Cuba most likely involved
"These attackers, most likely members of the Cuba ransomware group, know what they're doing — and they're persistent," said Christopher Budd, senior manager, threat research at Sophos. "We found a total of ten malicious drivers, all of which are variants of the original detection. These Drivers show a concerted effort to rise in trustworthiness, with the oldest Driver dating back at least to July. The oldest drivers we've found so far were signed with certificates from unknown Chinese companies. After that, they managed to sign the driver with a valid, leaked and revoked NVIDIA certificate.
Now they're using a legitimate Windows Hardware Compatibility Publisher Digital Certificate from Microsoft, one of the most trusted entities in the Windows ecosystem. Looking at it from a corporate security perspective, the attackers were given valid corporate credentials to enter the building without question and do as they please,” continued Christopher Budd.
Attempting process termination
A closer examination of the executable files used in the attempted ransomware attack revealed that the malicious signed driver was downloaded to the target system using a variant of the BURNTCIGAR loader, a known malware belonging to the Cuba ransomware group. Once the loader has downloaded the driver onto the system, it waits for one of 186 different executable filenames commonly used by key endpoint security and EDR software packages to start, and then attempts to kill those processes. If successful, the attackers can deploy the ransomware.
Attempt to bypass all major EDR products
"In 2022, we have observed that ransomware attackers are increasingly attempting to bypass the EDR products of many, if not most, major manufacturers," Christopher Budd continued. “The most common technique is known as 'bring your own driver', which BlackByte has been using recently. The attackers exploit an existing vulnerability in a legitimate driver. It's far more difficult to build a malicious driver from scratch and have it signed by a legitimate authority. However, if it succeeds, it is incredibly effective, since the driver can run whatever processes it wants without being questioned."
Virtually all EDR software is vulnerable
In the case of this particular driver, virtually any EDR software is vulnerable. Fortunately, Sophos' additional tamper protection measures were able to stop the ransomware attack. The security community needs to be aware of this threat in order to implement additional security measures. It can be assumed that other attackers will imitate this model.”
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.