In recent years, cybercriminals have increasingly exploited legitimate Windows driver signing processes to deploy sophisticated kernel-level malware. Research indicates that since 2020, over 620 malicious drivers have been identified, highlighting a significant escalation in such attacks.
Exploitation of Microsoft’s Signing Programs
Threat actors have systematically abused Microsoft’s Windows Hardware Compatibility Program (WHCP) and Extended Validation (EV) certificates to legitimize malicious kernel drivers. By obtaining these certificates through fraudulent means, attackers can sign malicious drivers, allowing them to bypass traditional security defenses and gain deep system control. This method effectively undermines the trust placed in signed drivers, which are typically considered safe by security software.
Underground Market for Code-Signing Certificates
A thriving underground economy has emerged around code-signing certificates. EV certificates, which require thorough validation of a company’s legal status, are being sold on criminal forums for prices ranging from $2,000 to $6,500. These certificates are often obtained through fraudulent business registrations rather than traditional certificate theft, making detection more challenging. Vendors in these marketplaces can deliver certificates in as little as 2-5 days, facilitating rapid deployment of signed malware.
Technical Sophistication of Attacks
Modern kernel loaders have added a new layer of obfuscation to these attacks. First-stage drivers are designed to load secondary components, including both unsigned drivers using reflective techniques and officially installed signed drivers. For example, the Blackmoon banking trojan evolved to use the Hugo driver, a signed kernel loader that decrypts and loads unsigned drivers from hardcoded file paths.
The POORTRY malware family has also demonstrated this evolution, transitioning from a simple Endpoint Detection and Response (EDR) deactivator to a full-featured EDR wiper capable of deleting critical security software files. Used by ransomware groups including BlackCat, Cuba, and LockBit, POORTRY represents the increasing aggression of kernel-level attacks.
Geographical Concentration of Malicious Activity
Analysis reveals a significant concentration of malicious activity originating from Chinese threat actors. Most certificates and WHCP accounts are tied to Chinese companies based on metadata analysis. The FiveSys rootkit family has been particularly active, targeting China’s gaming sector while maintaining Microsoft-issued digital signatures. Security researchers have identified overlapping infrastructure between seemingly unrelated campaigns, suggesting coordinated efforts among multiple threat actor groups using shared signing capabilities.
Microsoft’s Defensive Measures
In response to these threats, Microsoft has implemented several defensive measures, including the Microsoft Vulnerable Driver Blocklist, enabled by default on Windows 11 systems. The company has also revoked numerous certificates and suspended several developer program accounts found to be submitting malicious drivers. These actions aim to curb the abuse of legitimate signing processes and protect users from kernel-level malware attacks.
Conclusion
The exploitation of signed drivers by threat actors to execute advanced kernel-level attacks poses a significant challenge to cybersecurity. The abuse of legitimate signing processes, coupled with the underground trade in code-signing certificates, underscores the need for continuous vigilance and adaptive security measures. As attackers refine their techniques, it is imperative for both software vendors and users to stay informed and proactive in defending against these sophisticated threats.
