itman 1,748 Posted December 14, 2022 Share Posted December 14, 2022 (edited) Since my earlier thread on this issue has been closed: https://forum.eset.com/topic/32841-a-clear-and-present-danger-lurking-in-windows-1011/#comment-153631 , here's the latest incident on this very serious issue. Quote I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware Mandiant has continually observed threat actors use compromised, stolen, and illicitly purchased code-signing certificates to sign malware, lending legitimacy and subverting security controls such as application allow-listing policies. Attestation signed drivers take the trust granted to them by the CA and transfers it to a file whose Authenticode signature originates from Microsoft itself. We assess with high confidence that threat actors have subverted this process using illicitly obtained EV code signing certificates to submit driver packages via the attestation signing process, and in effect have their malware signed by Microsoft directly. Threat Data and Observations Mandiant has observed UNC3944 utilizing malware that has been signed via the attestation signing process. UNC3944 is a financially motivated threat group that has been active since at least May 2022 and commonly gains initial network access using stolen credentials obtained from SMS phishing operations. In some cases, the group’s post-compromise objectives have focused on accessing credentials or systems used to enable SIM swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments. UNC3944 has been observed deploying both STONESTOP and POORTRY as early as August 2022. https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware Additional reference here: https://www.bleepingcomputer.com/news/microsoft/microsoft-signed-malicious-windows-drivers-used-in-ransomware-attacks/ I again ask is it not time Eset start warning about attempted attestation signed driver installation? Edited December 14, 2022 by itman peteyt 1 Link to comment Share on other sites More sharing options...
itman 1,748 Posted December 14, 2022 Author Share Posted December 14, 2022 (edited) For those who missed this posting in the Malware section of the forum: https://forum.eset.com/topic/34454-new-whql-rootkits/ , a China based individual posted that he had submitted to Eset Virus Lab 31 attestation signed kernel mode drivers that were rootkits. At the time of the posting which was a month ago, only one vendor at VirusTotal detected these drivers which was CloudStrike Falcon as suspicious with a final malicious verdict. It took Eset Virus Lab two days to determine that these drivers were indeed malicious rootkit drivers and issue a signature for them. Assume that if the poster never submitted these drivers to VT, they would still be floating around in the wild infecting Windows installations. I again ask is it not time Eset start warning about attempted attestation signed driver installation? Edited December 15, 2022 by itman Rick_27, peteyt and TheStill 3 Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 5, 2023 Author Share Posted January 5, 2023 Add this one to the attestation signed driver victims list. Bluebottle hackers used signed Windows driver in attacks on banks https://www.bleepingcomputer.com/news/security/bluebottle-hackers-used-signed-windows-driver-in-attacks-on-banks/ Link to comment Share on other sites More sharing options...
Recommended Posts