Malware, Threat Intelligence

Windows kernel-level attacks facilitated by signed drivers

Microsoft March Patch Tuesday roundup

More threat actors have been leveraging digitally signed drivers and other services to compromise Windows systems with kernel-level malware while circumventing Microsoft's safeguards, including Hypervisor-Protected Code Integrity, PatchGuard, and Driver Signature Enforcement, reports GBHackers News.

Malicious kernel drivers have been passed off as legitimate software through the usage of the Windows Hardware Compatibility Program and Extended Validation certificates, according to an analysis from Group-IB researchers. Moreover, the proliferation of such certificates across the dark web has enabled kernel-level malware attacks even from less sophisticated threat operations. Additional findings revealed not only the increased use of WHCP-signed drivers since 2020 but also the similarities in signing infrastructure across different attack campaigns. Such findings should prompt not only the implementation of more stringent certificate issuance measures but also increased coordination in exploited credential revocation between operating system vendors, certificate authorities, and other members of the security community, said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds