TL; DR: Affiliates of the ALPHV ransomware group (also referred to as Blackcat) have been observed using malicious, but signed, Windows kernel drivers to evade detection, disable security tools, obtain persistence, and deploy ransomware. We’ve included a list of offending SHA1 hashes at the end of this article for import into your EDR / SIEM tools.

Background

According to Trend Micro’s security research team, the latest execution technique employed by ALPHV affiliates involves the use of a signed Windows kernel driver (ktgn.sys). This technique was analyzed and published by Mandiant / Sentinel One / Sophos back in December of 2022.   

Code Signing Exploit

In a basic sense, signed code is “trusted” by the operating system. Achieving code signing from a reputable certificate in a malicious way is generally accomplished in one of two ways:

  • Using a stolen code signing certificate. This is usually stolen first party or purchased through an illegal auction or black market site.
  • Impersonation. The malicious actor obtains a new code signing certificate by impersonating a legitimate entity or takes advantage of the code signing portal created by Microsoft used to sign kernel modules to purchase a new code signing certificate or Extended Validation (EV) cert. 

With this part out of the way, it’s on to exploitation…

exploitation diagram

How it Works

Kernel drivers are essential to the operation of WIndows (well any OS for that matter) and require complete access to the software, hardware interfaces, and I/O devices of the system. As such, kernel space is an attractive area for attackers looking to gain code execution, bypass security controls, install persistences (e.g., rootkits), and manipulate (e.g., man-in-the-middle) various data in and out of the system. 

Because of it’s unrestricted access, it’s also possible to manipulate or kill other process, and that’s exactly how ALPHV is using this technique—to kill security tools running on the host prior to infection. Side note, even if the Microsoft signing certificate has been revoked, this driver will still load on x64 Windows systems with enforced signing polices. Go figure.

In the case of this malicious driver, an IOCTL interface (used for input and/or output control) is exposed and the user Agent (tjr.exe) can then access this interface to send commands to the driver, which would then be executed with kernel privs.

exploitation diagram 2

As demonstrated in the above image, this kernel driver abuse can be used to evade detection and drop malicious files directly on to the host.

“The User Agent tjr.exe, which is protected via a virtual machine, drops the kernel driver to the user temporary directory C:\%User%\AppData\Local\Temp\Ktgn.sys. It then installs the dropped driver with the name ktgn and the start value = System (to start when the system restarts). From our analysis of what occurs when a user interfaces with this driver, we observed that it only uses one of the exposed Device Input and Output Control (IOCTL) code — Kill Process, which is used to kill security agent processes installed on the system.” - Trend Micro

The IOCTL interface exposed by this driver has limited uses and supports 10 commands including:

IOCTL Code
222088h    | Activate Driver
22208Ch    | Deactivate Driver
222094h    | Kill Process
222184h    | Delete File
222188h    | Force Delete File
22218Ch    | Copy File
222190h    | Force Copy File
2221C8h    | Register Process/Thread Object notification
2221C4h    | Unregister Process/Thread Object notification
222264h    | Reboot the system

For brevity, we’ll simply note that Trend Micro has a detailed analysis for each of these codes and it is their opinion that this driver is still in development as not all codes have been implemented correctly (and/or do not work).

“Based on our analysis of the kernel driver, it seems to still be under development and testing since it is not structured well and some of its functions currently cannot be used.” - Trend Micro

 If you’re still curious, see Trend’s detailed analysis (link at the bottom of this post) for more details.

Signatures and IoCs

  1. The Signers “BopSoft” and “YI ZENG” have explicitly revoked the compromised code signing certificates.
  2. Static detections for the ktgn.sys driver are made difficult since the driver is being obfuscated by Safengine protector v2.4.0.0.
  3. Our dark web and threat intelligence team has published the following SHA1 IOCs:

SHA1 Hashes

* 17bd8fda268cbb009508c014b7c0ff9d8284f850  
* 78cd4dfb251b21b53592322570cc32c6678aa468  
* c2387833f4d2fbb1b54c8f8ec8b5b34f1e8e2d91  
* 91568d7a82cc7677f6b13f11bea5c40cf12d281b  
* 0bec69c1b22603e9a385495fbe94700ac36b28e5  
* 5ed22c0033aed380aa154e672e8db3a2d4c195c4  
* cb25a5125fb353496b59b910263209f273f3552d  
* 994e3f5dd082f5d82f9cc84108a60d359910ba79  

The full writeup from Trend can be found at here.

Submit a comment

You may also like

Camden County Police Department Ransomware
Camden County Police Department Ransomware
21 January, 2025

Matt Barnett sits down with NBC10 to discuss the ransomware attack locking up the Camden County Police Department. The V...

Hackers Target Philadelphia Law Enforcement Officers
Hackers Target Philadelphia Law Enforcement Officers
21 January, 2025

"It's Tough When You're Trusting A Criminal!" Ransomware recently targeted Philadelphia based company, "Law Enforcement ...

Let's Talk Ransomware
Let's Talk Ransomware
21 January, 2025

While it’s not surprising that a quick Google search brings up quite a few jokes on the topic, ransomware is definitely ...