Sophos Finds Malicious Driver Signed with a Valid Digital Certificate

December 20, 2022

Sophos revealed it has found malicious code in multiple drivers signed by legitimate digital certificates. Its latest report, “Signed Driver Malware Moves up the Software Trust Chain,” details the investigation which began with an attempted ransomware attack in which the attackers used a malicious driver signed with a legitimate Windows Hardware Compatibility Publisher digital certificate from Microsoft. The malicious driver is designed to specifically target processes used by major Endpoint Detection and Response (EDR) software packages and was installed by malware that has been tied to threat actors affiliated with Cuba ransomware, a highly prolific group that has successfully targeted more than 100 companies globally over the past year. Sophos Rapid Response was able to successfully thwart the attack, and the investigation triggered a comprehensive collaboration between Sophos and Microsoft to take action and address the threat.

Drivers can perform highly privileged operations on systems. For example, kernel-mode drivers can, among other things, terminate many types of software, including security. Controlling which drivers can load is one way to protect computers from this avenue of attack. Windows requires drivers to bear a cryptographic signature—a “stamp of approval”—before it will allow the driver to load.

However, not all digital certificates used to sign drivers are trusted equally. Some digital signing certificates, stolen and leaked to the internet, were later abused to sign malware; still other certificates have been bought and used by unscrupulous PUA software publishers. Sophos’ investigation of a malicious driver used to sabotage endpoint security tools during the commission of a ransomware attack, revealed that the adversaries had been making a concerted effort to progressively move from less widely to more widely trusted digital certificates.

“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing—and they’re persistent. We’ve found a total of 11 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, with the oldest driver dating back to at least July. The oldest ones we’ve found to date were signed by certificates from unknown Chinese companies; they then moved on and managed to sign the driver with a valid, leaked, revoked NVIDIA certificate. Now, they’re using a certificate from Microsoft, which is one of the most trusted authorities in the Windows ecosystem. If you think about it like company security, the attackers have essentially received valid company IDs to enter the building without question and do whatever they please,” said Christopher Budd, senior manager, threat research, Sophos.

A closer look at the executables utilized in the attempted ransomware attack found that the malicious signed driver was downloaded onto the targeted system with a variant of the loader BURNTCIGAR, a known piece of malware affiliated with the Cuba ransomware group. Once the loader downloads the driver on the system, the latter waits for one of 186 different program filenames commonly used by major endpoint security and EDR software packages to initiate and then attempts to terminate those processes. If successful, the attackers can then deploy the ransomware.

“In 2022, we’ve seen ransomware attackers increasingly attempt to bypass EDR products of many, if not most, major vendors. The most common technique is known as ‘bring your own driver,’ which BlackByte recently used, and it involves attackers exploiting an existing vulnerability in a legitimate driver. Creating a malicious driver from scratch and getting it signed by a legitimate authority is far more difficult. However, should they succeed, it’s incredibly effective because the driver can essentially carry out any processes without question. In the case of this particular driver, virtually all EDR software is vulnerable; fortunately, Sophos’ additional anti-tampering protections were able to halt the ransomware attack. The security community needs to be aware of this threat so that they can implement additional security measures, such as eyes on glass, where necessary; what’s more, we may see other attackers attempt to emulate this type of attack,” said Budd.

Upon discovering this driver, Sophos promptly alerted Microsoft, and the two companies worked together to resolve the issue. Microsoft has released information in their security advisory with more information today as part of Patch Tuesday.