BlackCat has made a practice of using signed code in its attacks. Their latest campaign is no exception.
Signed code in the hands of cybercriminals can provide them with an unobtrusive means of accessing their targets' systems.
BlackCat ransomware group uses signed kernel driver to evade detection.
Trend Micro reports that the BlackCat ransomware gang is using a new signed kernel driver to evade detection. The researchers assess that this new kernel driver could be an updated version of signed code Mandiant, Sophos, and SentinelOne discovered in December. That coordinated disclosure by the three cyber security firms showed attackers abusing Microsoft developer accounts certified by Microsoft’s Hardware Developer Program, to create malicious kernel drivers and use them in ransomware attacks. Trend Micro writes, “We believe that this new kernel driver is an updated version that inherited the main functionality from the samples disclosed in previous research. The driver was used with a separate user client executable in an attempt to control, pause, and kill various processes on the target endpoints related to the security agents deployed on the protected machines.” They further explain that these kernel drivers are mostly used in the evasion phases of an attack. Trend Micro assesses that this new signed kernel driver is still being developed because “it is not structured well and some of its functions currently cannot be used.”
Where BlackCat gets its code-signing certificates.
Trend Micro determined that threat actors can obtain code-signing certificates by purchasing leaked certs on the darkweb, abusing Microsoft’s portal, or impersonating legitimate entities. “For organizations, compromised keys present not only a security risk, but can also lead to a loss of reputation and trust in the original signed software. Businesses should aim to protect their certificates by implementing best practices such as reducing access to private keys, which reduces the risk of unauthorized access to the certificate. Employing strong passwords and other authentication methods for private keys can also help protect them from being stolen or compromised by malicious actors. Furthermore, using separate test signing certificates (for prerelease code used in test environments) minimizes the chances that the actual release signing certificates are abused in an attack.”
Certificates can be abused just as can credentials.
James McQuiggan, Security Awareness Advocate at KnowBe4, commented that this technique is the sort of approach an adaptable adversary can be expected to adopt.
"Cybercriminals continue to evolve their attack methods, leveraging certificates like stolen IDs, trying to spoof their identity, and hiding their malicious acts. Knowing that Microsoft revokes hardware developer accounts that are abused in these attacks emphasizes the severity of the threat, and organizations should take proactive measures to ensure their systems are protected against such attacks. As cyber threats continue to evolve, individuals and organizations must stay informed of the latest techniques utilized by cybercriminals. To protect against such attacks, users and organizations should ensure their systems are up-to-date with the latest security patches and employ multi-layered security measures such as firewalls, antivirus software and intrusion detection systems. While protecting the technology, organizations must also protect their end users with a robust security awareness training program complete with assessments, tools and resources for end users to report malicious activity and socially engineered emails."