Search This Blog

Malicious Windows Kernel Drivers Utlized in BlackCat Ransomware Attacks

Affiliates of BlackCat have been known to use several methods of defence evasion, in a bid to remain in a system, undetected, for as long as they can.


Researchers have discovered an end-point security evasion mechanism used by the group known as BlackCat. The new technique conceals the gang's defensive measures when inside a network. The cybercrime group was discovered employing signed Microsoft kernel drivers to control and terminate security processes installed on protected machines. 

As per the analysis, this is expected to become a standard technique in the arsenal of cybercriminals. Then, Microsoft revoked multiple Microsoft hardware developer accounts used in these assaults. BlackCat ransomware's end-point security evasion mechanism has been discovered. 

Affiliates of BlackCat have been known to employ a variety of defense evasion techniques in order to remain undetected in a system for as long as possible. The most recent method is the use of malicious kernel drivers that have been signed through  Microsoft hardware developer accounts. According to Trend Micro research, this enables to impair defenses on a victimized computer by manipulating, halting, and killing numerous processes on target end-points associated to security agents.

A kernel-mode driver will not operate if it is not signed by a trustworthy certification authority. According to a Microsoft Build article, the operating system would not enable untrusted drivers to function, and conventional procedures such as kernel debugging and test signing will be prohibited.

Trend Micro's data shows that this strategy has been successful in prior attacks carried out by BlackCat this year. Typically, hackers can sign malicious kernel drivers by abusing Microsoft signing portals, ututilizingeaked and stolen certificates, or using underground servers, which can provide cybercriminals using these approaches an advantage.

According to the analysis, these new approaches will most likely become part of a cybercriminal's toolkit. “Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer (or even lower levels). This is why we believe that such threats will not disappear from threat actors’ toolkits anytime soon.”

BlackCat ransomware, also known as AlphaV, first appeared in November 2021, hitting targets in many countries including Australia, India, and the United States, seeking ransoms ranging from $400,000 to $3 million in cryptocurrencies Bitcoin or Monero.

The Russian group is reported to have ties to DarkSide, the group responsible for the legendary attack on the Colonial Pipeline in 2020, which crippled the oil supply system to the US Eastern Seaboard and prompted President Joe Biden to declare a national state of emergency. 

Share it:

Cyber Attacks