The Threat Posed by Iranian Hackers Using an Innovative Windows Kernel Driver.

Fortinet, a cybersecurity firm, released a report on May 23, 2023, revealing that Iranian hackers have been leveraging a new Windows kernel driver, called Wintapix, in cyberattacks against Middle East targets in Saudi Arabia, Jordan, Qatar, and the United Arab Emirates since at least mid-2020. The driver employs the position-independent code Donut, which enables payloads to be loaded in memory through shellcode using thread hijacking, or process hollowing.

Persistent Threats

The Donut project enables loading the malware in memory, and upon successful entry, Wintapix injects an embedded shellcode that connects to a Local System privileges process, scans the registry, and searches for unlocked registry keys and blocks without a match history. Once a vulnerable process is found, the shellcode executes an encrypted .NET payload, which is built to target infrastructure running Microsoft Internet Information Services (IIS). The malware creates a list of sites hosted by the IIS server and starts an HTTP listener on their URLs, looking for requests containing commands to execute. Additionally, it can upload or download files, and as a proxy, it uses remote desktop protocol (RDP) configuration data, opening a connection to a target RDP server and proxying it to the attacker.

Weaponizing Malicious Code

Wintapix also increases its persistence on the victim’s machine by creating specific registry keys and a service for the driver, which is also configured to load in Safe Mode. The driver uses a Windows kernel-mode function to monitor its registry keys’ creation, allowing it to reset persistence if it has been removed from the registry. If the driver’s location is erased, it reads the registry’s file location to rewrite itself to disk. Inspecting the malware, Forent remarks that the embedded shellcode, which is hardcoded in the binary, was created using the Donut project. It is self-contained and does not require any dependencies.

The Complexity of Detecting Malware

The timeline of Wintapix’s observed code indicates it came into being in May 2020, with observed compilation dates in May 2020 and June 2021. Fortinet believes that the driver was deployed in August and September of 2022 and February and March of 2023, primarily under Iranian attack groups’ control. However, until Fortinet’s revelation, its operations flew under the radar. Forent points out that a notable fact is the malware’s timing coinciding with Iranian hackers’ use of Exchange servers to deploy additional malware. Therefore, Forent suggests that the driver could have been employed concurrently with Exchange attacks.

Expert Advice

Tze Meng Tan, a cybersecurity expert and a researcher at Singapore’s Cyber Security Agency, stated that the use of kernel drivers is not uncommon and a driver loaded with malware could be difficult to detect, especially if it is persistent. However, Tan suggests taking several measures to prevent such attacks. Firstly, Tan recommends monitoring drivers’ activity and preventing kernel-mode drivers from running on endpoints. Secondly, Tan suggests enforcing a network segmentation strategy that keeps critical systems inaccessible from other systems, allowing access only to necessary programs. Lastly, Tan stresses that maintaining software applications and hardware current with the latest software and firmware updates is crucial in preventing such attacks.

Conclusion

The Wintapix malware is yet another example of how determined and sophisticated hackers can quickly evade traditional mechanisms based on signature recognition. It reinforces that cybersecurity is continuously evolving and that adopting basic security hygiene, such as applying regular security updates and not running unknown software applications, should be incorporated into organizations’ culture.