Microsoft announced details on the distribution of malware signed with a Microsoft certificate. According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer accounts. To prevent damage, Microsoft blocked the related accounts and applied a security update (Microsoft Defender 1.377.987.0 or later).
To prevent security risks, Windows only allows the loading of kernel mode drivers that are signed. If a driver is not signed, it cannot be loaded and causes an error. Thus, for the malicious driver in question to function properly, it would have needed a signature. Also, as a valid Microsoft certificate was used, users would not have been able to easily notice that the file was created with harmful intentions.
These malware strains were first discovered by SentinelOne, Mandiant, and Sophos, and these companies published information on said malware. It was discovered that they were developed and used to shut down security programs and ultimately distribute ransomware. The revealed driver file is a tool that incapacitates security programs and has the following features.
Figure 1. Terminating process (IOCTL: 0x222094)
Figure 2. Suspending process (IOCTL: 0x22209C)
Figure 3. Resuming process (IOCTL: 0x2220A0)
The malware operates by having the loader that installed the driver transmit certain values to the driver. The transmitted values are the IOCTL (Input/Output Control Code) numbers and target process information. IOCTL is a communications interface between user mode applications and drivers, and drivers have IOCTL numbers assigned to each feature, as shown in Figures 1-3 above. The loader transmits the IOCTL number and process information that match certain features. According to Sophos, the target process to be terminated is stated in the loader, where the names of services and processes of multiple security companies can be found. Thus, these security programs written in the loader can be incapacitated.
Additionally, a symbolic link with the name, “\\\\.\\KApcHelperLink1” is used during driver communication.
Figure 4. Symbolic link of the driver
In order to prevent damage from this malware, users must apply the latest Windows security update. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.