New WinTapix.sys Malware Engages in Multi-Stage Attack Across Middle East
An unknown threat actor has been using a malicious Windows kernel driver called WINTAPIX (WinTapix.sys) in attacks likely targeting the Middle East since May 2020. Fortinet Fortiguard Labs attributes the malware with low confidence to an Iranian threat actor. The campaign primarily focuses on Saudi Arabia, Jordan, Qatar, and the United Arab Emirates. The malicious kernel mode driver aims to subvert or disable security mechanisms and gain entrenched access to the targeted host, allowing the attacker to infiltrate deeper into the system, maintain persistence, and execute additional payloads or commands. WinTapix.sys comes with an invalid signature, requiring the threat actor to first load a legitimate but vulnerable driver to launch WINTAPIX. Once loaded in the kernel, it injects an embedded shellcode into a user mode process that executes an encrypted .NET payload. The .NET malware has backdoor and proxy features to execute commands, download and upload files, and function as a proxy for data communication. Researchers suggest that Iranian threat actors may have used this driver alongside Exchange server attacks. The ALPHV (aka BlackCat or Noberus) ransomware group has also been observed using a malicious signed driver to impair security defenses and escape detection. The driver, ktgn.sys, is an updated version of POORTRY that is signed using a stolen or leaked cross-signing certificate. Malware: WINTAPIX [View Article](https://thehackernews.com/2023/05/new-wintapixsys-malware-engages-in.html)