Over the last few years, companies in the Middle East have faced a series of targeted attacks using an open-source tool used by threat actors as kernel drivers.
Fortinet researchers discovered a sample of the so-called Donut tool while scanning suspicious executables that used open-source technologies.
This open-source shellcode-generation tool, as well as a variant of the Wintapix driver, were found to have been used in targeted cyberattacks against Saudi Arabia and other Middle Eastern countries.
Fortinet researchers Geri Revay and Hossein Jazi stated in a blog post about their research that they believe this driver has been operational in the wild since at least mid-2020, was not reported until now, and has been employed in multiple campaigns over the previous few years.
In accordance with Fortinet's data, there is a noteworthy increase in the number of lookups — or peaks in activity — for this driver in August and September 2022, as well as again in February and March 2023. This could imply that the threat actor behind the driver was running large-scale campaigns these days. According to the data, 65% of the lookups for the driver were from Saudi Arabia, showing that it was a primary focus.
Jazi notes that other malware families have been identified employing similar attack methods (i.e., kernel drivers), but this was a detection of a new malicious driver.
"It has new functionalities such as targeting IIS [Internet Information Services] servers, which is unique in its own accord," Jazi says.
While Jazi cannot to provide any information on the exact verticals targeted, he does highlight that Iranian threat groups have a long history of attacking Saudi Arabia and other governments in the region.
According to Fortinet analysts, it is unclear how the driver was spread, and they have no idea who was behind this operation. "Observed telemetry shows that, while this driver has primarily targeted Saudi Arabia, it has also been detected in Jordan, Qatar, and the United Arab Emirates, which are classic targets of Iranian threat actors," according to the research.
Since Iranian threat actors have been known to use Microsoft Exchange Servers to distribute other malware, it is probable that this driver was used in conjunction with Exchange attacks. "To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities," the researchers stated.
At this point, it's unknown whose organizations were targeted or what the attackers were after. According to CiarĂ¡n Walsh, associate research engineer at Tenable, it is entirely possible for a campaign to go undetected for an extended period of time, as this one did.
"APT1 (CommentCrew) has been noted as maintaining a presence on victim networks without detection for years during its cyberespionage campaigns," he says.
When asked if he believes the time spent undiscovered is indicative of an attacker's sophistication, Walsh answers it depends on a variety of things, including the campaign's aims.
"In espionage, the aim would be to go undetected for however long it takes to achieve those objectives," he says, "but in campaigns that aim to cause disruption such as Anonymous Sudan and its DDoS campaigns, being stealthy and maintaining a foothold in a target network is not a priority."
Walsh observes that open source tools are more likely to be identified because the security community is aware of them and countermeasures and remediation strategies to fight them have been created.
"Custom tooling is much more difficult to detect as automated systems have little, if any, information about the tool to use as part of their detection mechanisms," he says. "Attackers do sometimes adopt an approach of using tools already on target systems or within target networks."
Volt Typhoon, an APT ascribed to China that Microsoft reported last week had obtained access to telecom networks and other critical infrastructure targets in the US, took this strategy.
"Living-off-the-land allows for stealth as there is no execution of any suspicious programs or scripts, which would trigger an alert," Walsh says. "The attackers instead use tools built into operating systems, which are less likely to trigger an alert, or even be deemed suspicious."
