Research has revealed how the Russian gang’s malware remains hidden in systems and gets around end-point security.
An end-point security evasion technique by ransomware gang BlackCat has been uncovered by researchers. The new procedure cloaks the gang’s defensive manoeuvres when inside a network.
The POORTRY malware is a Windows kernel driver that is signed using stolen keys belonging to legitimate accounts in Microsoft’s Windows Hardware Development Program.
This malicious driver, used by the hacking group UNC3944 (also known as 0ktapus and Scattered Spider), was used to shut down security software running on a Windows device in order to avoid detection.
Trend Micro said that ransomware actors tried to use the Microsoft-signed POORTRY driver, but due to the publicity it received and the subsequent revocation of the code signing keys, its detection rates were high.
These new techniques will probably become a fixture of a cybercriminal toolkit, states the report. “Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer.
The new driver used by the BlackCat ransomware company helps it to elevate its privileges on infected machines and then stop processes related to security agents.
Additionally, it may provide a loose connection between the ransomware gang and the UNC3944/Scattered Spider hacking group.
To mitigate the risks, system administrators are advised to utilize the indicators of compromise provided by Trend Micro and add the identified drivers to the Windows driver blocklist.
File name Hash Detection name yixowv.exe 17bd8fda268cbb009508c014b7c0ff9d8284f850 Ransom.Win32.BLACKCAT.SMYPCC5 cor.exe 78cd4dfb251b21b53592322570cc32c6678aa468 Ransom.Win32.BLACKCAT.SMYPCC5 trj.exe c2387833f4d2fbb1b54c8f8ec8b5b34f1e8e2d91 Trojan.Win64.STONESTOP.A dkrtk.sys 91568d7a82cc7677f6b13f11bea5c40cf12d281b Trojan.Win64.VMPROTECT.R002C0RA fgme.sys 0bec69c1b22603e9a385495fbe94700ac36b28e5 Troj.Win32.TRX.XXPE50F13019 ktes.sys 5ed22c0033aed380aa154e672e8db3a2d4c195c4 Troj.Win32.TRX.XXPE50F13019 kt2.sys cb25a5125fb353496b59b910263209f273f3552d Troj.Win32.TRX.XXPE50F13019 ktgn.sys 994e3f5dd082f5d82f9cc84108a60d359910ba79 Rootkit.Win64.POORTRY.A