Threat Management, Malware

Middle East subjected to attacks with novel WINTAPIX malware

Share

Organizations in Saudi Arabia, Qatar, Jordan, and the United Arab Emirates have been targeted with attacks involving the malicious Windows kernel driver dubbed "WINTAPIX" since at least May 2020, The Hacker News reports. Attackers behind the campaign continue to be unknown but the malware is likely connected to an Iranian threat actor, according to a report from Fortinet Fortiguard Labs. Researchers said that WinTapix.sys functions as a loader that would facilitate embedded shellcode injection to enable .NET payload execution. Such .NET malware has been noted to feature proxy features on top of a backdoor to allow command execution, file downloads and uploads, and data sending across two endpoints, the report said. "Since Iranian threat actors are known to exploit Exchange servers to deploy additional malware, it is also possible that this driver has been employed alongside Exchange attacks. To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.