An end-point security evasion technique by ransomware gang BlackCat has been uncovered by researchers. The new procedure cloaks the gang’s defensive manoeuvres when inside a network. The cybercrime group has been found using signed Microsoft kernel drivers to control and kill security processes deployed on protected machines. This is likely to become a fixture in the cybercriminal toolkit, states the report.
Microsoft has subsequently revoked several Microsoft hardware developer accounts that were abused in these attacks.
End-point security evasion technique of BlackCat ransomware uncovered
Affiliates of BlackCat have been known to use several methods of defence evasion, in a bid to remain in a system, undetected, for as long as they can. The most recent technique is the use of malicious kernel drivers, signed through Microsoft hardware developer accounts.
This helps to impair defences on a victimised machine by controlling, pausing and killing various processes on target end-points related to security agents, states the research from security vendor Trend Micro.
If a kernel-mode driver is not signed by a trusted certification authority it will not run. The operating system will not allow untrusted drivers to work and standard mechanisms like kernel debugging and test signing will not be permitted, explains a post by Microsoft Build.
Trend Micro’s research demonstrates the success of this technique through previous attacks carried out by BlackCat this year. Typically, by abusing Microsoft signing portals, using leaked and stolen certificates or using underground servers, cybercriminals are able to sign malicious kernel drivers, which can give cybercriminals deploying these techniques higher levels of access.
These new techniques will probably become a fixture of a cybercriminal toolkit, states the report. “Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer (or even lower levels). This is why we believe that such threats will not disappear from threat actors’ toolkits anytime soon.”
Who are BlackCat?
Also known as AlphaV, BlackCat ransomware first appeared in November 2021, attacking targets in multiple countries including Australia, India and the US, demanding ransoms ranging from $400,000-$3m in cryptocurrencies Bitcoin or Monero.
The Russian gang is thought to have connections to another group, DarkSide, which carried out the notorious attack on the Colonial Pipeline in 2020, which disrupted the oil supply chain to the US Eastern Seaboard and prompted President Joe Biden to declare a national state of emergency.
Earlier this year Munster Technology University in Ireland fell victim to a ransomware attack by BlackCat. The gang stole 6GB of data from the university, including personal information of staff and students, and released it onto the dark web when representatives of MTU refused to cooperate.
Other high-profile victims include the Ecuadorian Army, and US Defence intelligence company the NJVC, though there was no evidence of data from the latter being posted online.