Jump to content

A Clear and Present Danger Lurking in Win 10/11 - Continued


Recommended Posts

Since my earlier thread on this issue has been closed: https://forum.eset.com/topic/32841-a-clear-and-present-danger-lurking-in-windows-1011/#comment-153631 , here's the latest incident on this very serious issue.


I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware

Mandiant has continually observed threat actors use compromised, stolen, and illicitly purchased code-signing certificates to sign malware, lending legitimacy and subverting security controls such as application allow-listing policies. Attestation signed drivers take the trust granted to them by the CA and transfers it to a file whose Authenticode signature originates from Microsoft itself. We assess with high confidence that threat actors have subverted this process using illicitly obtained EV code signing certificates to submit driver packages via the attestation signing process, and in effect have their malware signed by Microsoft directly.

Threat Data and Observations

Mandiant has observed UNC3944 utilizing malware that has been signed via the attestation signing process. UNC3944 is a financially motivated threat group that has been active since at least May 2022 and commonly gains initial network access using stolen credentials obtained from SMS phishing operations. In some cases, the group’s post-compromise objectives have focused on accessing credentials or systems used to enable SIM swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments.

UNC3944 has been observed deploying both STONESTOP and POORTRY as early as August 2022.



Additional reference here: https://www.bleepingcomputer.com/news/microsoft/microsoft-signed-malicious-windows-drivers-used-in-ransomware-attacks/

I  again ask is it not time Eset start warning about attempted attestation signed driver installation?

Edited by itman
Link to comment
Share on other sites

For those who missed this posting in the Malware section of the forum: https://forum.eset.com/topic/34454-new-whql-rootkits/ , a China based individual posted that he had submitted to Eset Virus Lab 31 attestation signed kernel mode drivers that were rootkits.

At the time of the posting which was a month ago, only one vendor at VirusTotal detected these drivers which was CloudStrike Falcon as suspicious with a final malicious verdict. It took Eset Virus Lab two days to determine that these drivers were indeed malicious rootkit drivers and issue a signature for them. Assume that if the poster never submitted these drivers to VT, they would still be floating around in the wild infecting Windows installations.

I  again ask is it not time Eset start warning about attempted attestation signed driver installation?

Edited by itman
Link to comment
Share on other sites

  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...