Caution! Malware Signed With Microsoft Certificate

Microsoft announced details on the distribution of malware signed with a Microsoft certificate.[1] According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer accounts. To prevent damage, Microsoft blocked the related accounts and applied a security update (Microsoft Defender 1.377.987.0 or later).

To prevent security risks, Windows only allows the loading of kernel mode drivers that are signed. If a driver is not signed, it cannot be loaded and causes an error. Thus, for the malicious driver in question to function properly, it would have needed a signature. Also, as a valid Microsoft certificate was used, users would not have been able to easily notice that the file was created with harmful intentions.

These malware strains were first discovered by SentinelOne[2], Mandiant, and Sophos[3], and these companies published information on said malware. It was discovered that they were developed and used to shut down security programs and ultimately distribute ransomware. The revealed driver file is a tool that incapacitates security programs and has the following features.

Figure 1. Terminating process (IOCTL: 0x222094)

Figure 2. Suspending process (IOCTL: 0x22209C)

Figure 3. Resuming process (IOCTL: 0x2220A0)

The malware operates by having the loader that installed the driver transmit certain values to the driver. The transmitted values are the IOCTL (Input/Output Control Code) numbers and target process information. IOCTL is a communications interface between user mode applications and drivers, and drivers have IOCTL numbers assigned to each feature, as shown in Figures 1-3 above. The loader transmits the IOCTL number and process information that match certain features. According to Sophos, the target process to be terminated is stated in the loader, where the names of services and processes of multiple security companies can be found. Thus, these security programs written in the loader can be incapacitated.

Additionally, a symbolic link with the name, “\\\\.\\KApcHelperLink1” is used during driver communication.

Figure 4. Symbolic link of the driver

In order to prevent damage from this malware, users must apply the latest Windows security update. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]
Trojan/Win32.Agent.C114064
Trojan/Win.RootkitDrv.C5311744
Trojan/Win.RootkitDrv.C5311748
Trojan/Win.RootkitDrv.C5311745
Trojan/Win.RootkitDrv.C5313281
Trojan/Win.RootkitDrv.C5313299
Trojan/Win.RootkitDrv.C5313267
Trojan/Win.RootkitDrv.C5313273
Trojan/Win.RootkitDrv.C5313261
Trojan/Win.RootkitDrv.C5313014
Trojan/Win.RootkitDrv.C5313271
Trojan/Win.RootkitDrv.C5313304
Trojan/Win.RootkitDrv.C5313297
Trojan/Win.RootkitDrv.C5313257
Trojan/Win.RootkitDrv.C5311743
Trojan/Win.RootkitDrv.C5313262
Trojan/Win.RootkitDrv.C5311747
Trojan/Win.RootkitDrv.C5313269
Trojan/Win.RootkitDrv.C5313259
Trojan/Win.RootkitDrv.C5313278
Trojan/Win.RootkitDrv.C5313296
Trojan/Win.RootkitDrv.C5311742
Trojan/Win.RootkitDrv.C5311746
Trojan/Win.RootkitDrv.C5313303
Trojan/Win.RootkitDrv.C5313265
Trojan/Win.RootkitDrv.C5311749
Trojan/Win.RootkitDrv.C5313295
Trojan/Win.RootkitDrv.C5313263
Trojan/Win.RootkitDrv.C5313260
Trojan/Win.RootkitDrv.C5313302

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
guest

0 Comments
Inline Feedbacks
View all comments