Threat actors leverage kernel drivers in new attacks
Threat actors are leveraging malicious kernel-level drivers in two separate campaigns detailed on Monday by Fortinet and Trend Micro.
Kernel-level threats are considered serious due to the complete access a compromise at that level provides a threat actor. Fortinet’s Monday research concerns WinTapix, a driver used primarily in attacks against organizations in the Middle East, and Trend Micro’s concerns a campaign conducted by ransomware gang BlackCat, also known as Alphv.
Fortinet researchers Geri Revay and Hossein Jazi said in a blog post that WinTapix.sys was being used as a loader in “targeted attacks against countries in the Middle East.” Though no formal attribution was made, the researchers assessed with low confidence based on telemetry that an Iranian threat actor was conducting the attacks.
“We still do not have enough information about how this driver has been distributed and who was behind these operations,” the blog post read. “Based on the victimology, we suspect …