More threat actors have been leveraging digitally signed drivers and other services to compromise Windows systems with kernel-level malware while circumventing Microsoft's safeguards, including Hypervisor-Protected Code Integrity, PatchGuard, and Driver Signature Enforcement, reports GBHackers News.
Malicious kernel drivers have been passed off as legitimate software through the usage of the Windows Hardware Compatibility Program and Extended Validation certificates, according to an analysis from Group-IB researchers. Moreover, the proliferation of such certificates across the dark web has enabled kernel-level malware attacks even from less sophisticated threat operations. Additional findings revealed not only the increased use of WHCP-signed drivers since 2020 but also the similarities in signing infrastructure across different attack campaigns. Such findings should prompt not only the implementation of more stringent certificate issuance measures but also increased coordination in exploited credential revocation between operating system vendors, certificate authorities, and other members of the security community, said researchers.
Malicious kernel drivers have been passed off as legitimate software through the usage of the Windows Hardware Compatibility Program and Extended Validation certificates, according to an analysis from Group-IB researchers. Moreover, the proliferation of such certificates across the dark web has enabled kernel-level malware attacks even from less sophisticated threat operations. Additional findings revealed not only the increased use of WHCP-signed drivers since 2020 but also the similarities in signing infrastructure across different attack campaigns. Such findings should prompt not only the implementation of more stringent certificate issuance measures but also increased coordination in exploited credential revocation between operating system vendors, certificate authorities, and other members of the security community, said researchers.



