BlackCat Ransomware Deploys New Signed Kernel Driver
In late December 2022, Mandiant, Sophos, and Sentinel One reported malicious kernel drivers being signed through several Microsoft hardware developer accounts. These profiles were used in cyberattacks, including ransomware-based incidents. Microsoft revoked several abused accounts in response. In February 2023, a BlackCat ransomware incident revealed a new capability for defense evasion involving a signed kernel driver. This driver was used with a separate user client executable to control, pause, and kill various processes on target endpoints related to security agents. Malicious actors use different approaches to sign their malicious kernel drivers, such as abusing Microsoft signing portals, using leaked and stolen certificates, or using underground services. The February 2023 ransomware incident showed that ransomware operators have a high interest in gaining privileged-level access for their payloads. They typically use ransomware families with low-level components to avoid detection from security products. The analyzed signed driver (ktgn.sys) was used in the February BlackCat attacks and is part of the defense evasion routine. The driver is obfuscated using Safengine Protector v2.4.0.0 tool, making static analysis techniques unreliable. The exposed IOCTL interface supports ten different commands, each implementing a specific function executed from the kernel driver. Malware: BlackCat(Linux), BlackCat, BlackCat(Windows) [View Article](https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html)