Caution! Malware Signed With Microsoft Certificate

Microsoft announced details on the distribution of malware signed with a Microsoft certificate.^[1] According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer accounts. To prevent damage, Microsoft blocked the related accounts and applied a security update (Microsoft Defender 1.377.987.0 or later). To prevent security risks, Windows only allows the loading of kernel mode drivers that are signed. If a driver is not signed, it cannot be loaded and causes an error. Thus, for the malicious driver in question to function properly, it would have needed a signature. Also, as a valid Microsoft certificate was used, users would not have been able to easily notice that the file was created with harmful intentions. These malware strains were first discovered by SentinelOne^[2], Mandiant, and Sophos^[3], and these companies published information on said malware. It was discovered that they were developed and used to shut down security programs and ultimately distribute ransomware. The revealed driver file is a tool that incapacitates security programs and has the following features. 

Figure 1. Terminating process (IOCTL: 0x222094)

Figure 2. Suspending process (IOCTL: 0x22209C)

Figure 3. Resuming process (IOCTL: 0x2220A0)

The malware operates by having the loader that installed the driver transmit certain values to the driver. The transmitted values are the IOCTL (Input/Output Control Code) numbers and target process information. IOCTL is a communications interface between user mode applications and drivers, and drivers have IOCTL numbers assigned to each feature, as shown in Figures 1-3 above. The loader transmits the IOCTL number and process information that match certain features. According to Sophos, the target process to be terminated is stated in the loader, where the names of services and processes of multiple security companies can be found. Thus, these security programs written in the loader can be incapacitated. Additionally, a symbolic link with the name, “\\\\.\\KApcHelperLink1” is used during driver communication. 

Figure 4. Symbolic link of the driver

In order to prevent damage from this malware, users must apply the latest Windows security update. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below. [File Detection] Trojan/Win32.Agent.C114064 Trojan/Win.RootkitDrv.C5311744 Trojan/Win.RootkitDrv.C5311748 Trojan/Win.RootkitDrv.C5311745 Trojan/Win.RootkitDrv.C5313281 Trojan/Win.RootkitDrv.C5313299 Trojan/Win.RootkitDrv.C5313267 Trojan/Win.RootkitDrv.C5313273 Trojan/Win.RootkitDrv.C5313261 Trojan/Win.RootkitDrv.C5313014 Trojan/Win.RootkitDrv.C5313271 Trojan/Win.RootkitDrv.C5313304 Trojan/Win.RootkitDrv.C5313297 Trojan/Win.RootkitDrv.C5313257 Trojan/Win.RootkitDrv.C5311743 Trojan/Win.RootkitDrv.C5313262 Trojan/Win.RootkitDrv.C5311747 Trojan/Win.RootkitDrv.C5313269 Trojan/Win.RootkitDrv.C5313259 Trojan/Win.RootkitDrv.C5313278 Trojan/Win.RootkitDrv.C5313296 Trojan/Win.RootkitDrv.C5311742 Trojan/Win.RootkitDrv.C5311746 Trojan/Win.RootkitDrv.C5313303 Trojan/Win.RootkitDrv.C5313265 Trojan/Win.RootkitDrv.C5311749 Trojan/Win.RootkitDrv.C5313295 Trojan/Win.RootkitDrv.C5313263 Trojan/Win.RootkitDrv.C5313260 Trojan/Win.RootkitDrv.C5313302 

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.