Alphv (Blackcat) Using Malicious Windows Drivers

TL; DR: Affiliates of the ALPHV ransomware group (also referred to as Blackcat) have been observed using malicious, but signed, Windows kernel drivers to evade detection, disable security tools, obtain persistence, and deploy ransomware. We’ve included a list of offending SHA1 hashes at the end of this article for import into your EDR / SIEM tools.

Background

According to Trend Micro’s security research team, the latest execution technique employed by ALPHV affiliates involves the use of a signed Windows kernel driver (ktgn.sys). This technique was analyzed and published by Mandiant / Sentinel One / Sophos back in December of 2022.  

Code Signing Exploit

In a basic sense, signed code is “trusted” by the operating system. Achieving code signing from a reputable certificate in a malicious way is generally accomplished in one of two ways:

• Using a stolen code signing certificate. This is usually stolen first party or purchased through an illegal auction or black market site.

• Impersonation. The malicious actor obtains a new code signing certificate by impersonating a legitimate entity or takes advantage of the code signing portal created by Microsoft used to sign kernel modules to purchase a new code signing certificate or Extended Validation (EV) cert.

With this part out of the way, it’s on to exploitation…

How it Works

Kernel drivers are essential to the operation of WIndows (well any OS for that matter) and require complete access to the software, hardware interfaces, and I/O devices of the system. As such, kernel space is an attractive area for attackers looking to gain code execution, bypass security controls, install persistences (e.g., rootkits), and manipulate (e.g., man-in-the-middle) various data in and out of the system.

Because of it’s unrestricted access, it’s also possible to manipulate or kill other process, and that’s exactly how ALPHV is using this technique—to kill security tools running on the host prior to infection. Side note, even if the Microsoft signing certificate has been revoked, this driver will still load on x64 Windows systems with enforced signing polices. Go figure.

In the case of this malicious driver, an IOCTL interface (used for input and/or output control) is exposed and the user Agent (tjr.exe) can then access this interface to send commands to the driver, which would then be executed with kernel privs.

 As demonstrated in the above image, this kernel driver abuse can be used to evade detection and drop malicious files directly on to the host.

“The User Agent tjr.exe, which is protected via a virtual machine, drops the kernel driver to the user temporary directory C:\%User%\AppData\Local\Temp\Ktgn.sys. It then installs the dropped driver with the name ktgn and the start value = System (to start when the system restarts). From our analysis of what occurs when a user interfaces with this driver, we observed that it only uses one of the exposed Device Input and Output Control (IOCTL) code — Kill Process, which is used to kill security agent processes installed on the system.” - Trend Micro

The IOCTL interface exposed by this driver has limited uses and supports 10 commands including:

For brevity, we’ll simply note that Trend Micro has a detailed analysis for each of these codes and it is their opinion that this driver is still in development as not all codes have been implemented correctly (and/or do not work).

“Based on our analysis of the kernel driver, it seems to still be under development and testing since it is not structured well and some of its functions currently cannot be used.” - Trend Micro

If you’re still curious, see Trend’s detailed analysis (link at the bottom of this post) for more details.

Signatures and IoCs

1. The Signers “BopSoft” and “YI ZENG” have explicitly revoked the compromised code signing certificates.

2. Static detections for the ktgn.sys driver are made difficult since the driver is being obfuscated by Safengine protector v2.4.0.0.

3. Our dark web and threat intelligence team has published the following SHA1 IOCs:

The full writeup from Trend can be found at here.