IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Ransomware discovered carrying legitimate Windows certificates

Sophos researchers pointed to the sophisticated signatures as a sign of a new, dangerous strategy by a group tied to Cuba

Cyber security company Sophos has issued a warning over antivirus-nullifying malware it discovered bearing legitimate digital certificates, including signatures from Microsoft’s own digital verification service.

The drivers, found paired with a ‘loader’ executable that was used to install the driver, carried the digital signature of Windows Hardware Compatibility Program (WHCP), and appeared to be specially designed to limit the functions of endpoint detection and response (EDR) security programs.

Code signatures are cryptographic certificates that indicate a program has not been altered since its release by its manufacturer. WHCP signatures are only intended to be given to software that Microsoft has checked over and given its personal seal of approval, and therefore seen as trustworthy files to run by Windows systems.

Researchers say that the find shows that threat actors are working harder to move up the 'trust chain', employing increasingly sophisticated methods to sign malware with legitimate cryptographic signatures so that it can be installed on systems without detection.

Sophos made the discovery while responding to a ransomware attack, which revealed the driver and executable. Because it prevented the attack from occurring, it has not been able to definitively identify the ransomware variant that the driver sought to enable and deploy.

However, in a blog post researchers noted that the loader used is likely a variant known as BURNTCIGAR. Use of this variant is characteristic of the Cuba ransomware group, and a search of public repositories for similar drivers revealed an archive that contained both the driver and loader, along with a list of 186 files that are commonly-used in endpoint security and EDR software. Researchers surmised that these were processes intended to be killed by the malware once activated, to allow the ransomware to run without resistance.

In a subsequent search for similar variants on the malicious driver, security researchers found as many as ten, having emerged in the middle of the year and grown in number since then. The earliest of such drivers found by Sophos was uploaded to antivirus aggregation website VirusTotal in July, and carried the signature of Chinese software developer Zhuhai liancheng Technology Co., Ltd.

This company’s signature is flagged by Sophos as a potential unwanted application (PUA), and the threat actors appear to have moved away from this to less suspicious certificates in subsequent iterations. Indeed, other malicious drivers were signed by Nvidia, in addition to those that carried the WHCP signatures.

Following the discovery, Sophos Rapid Response collaborated with Microsoft to quell the threat, and to release a security update that revokes the affected certificates as well as improving detection for legitimate drivers that have been involved in malicious activity. This was released as a part of Microsoft’s December Patch Tuesday.

“In 2022, we’ve seen ransomware attackers increasingly attempt to bypass EDR products of many, if not most, major vendors,” said Christopher Budd, senior manager of Threat Research at Sophos.

Related Resource

Getting board-level buy-in for security strategy

Why cyber security needs to be a board-level issue

Intercity 'Getting board-level buy-in for security strategy' whitepaper coverFree Download

“The most common technique is known as ‘bring your own driver,’ which BlackByte recently used, and it involves attackers exploiting an existing vulnerability in a legitimate driver. Creating a malicious driver from scratch and getting it signed by a legitimate authority is far more difficult. However, should they succeed, it’s incredibly effective because the driver can essentially carry out any processes without question.

“In the case of this particular driver, virtually all EDR software is vulnerable; fortunately, Sophos’ additional anti-tampering protections were able to halt the ransomware attack. The security community needs to be aware of this threat so that they can implement additional security measures, such as eyes on glass, where necessary; what’s more, we may see other attackers attempt to emulate this type of attack.”

Earlier in 2022, a similar technique was employed by threat actors who masked malware using Nvidia certificates, following a breach of Nvidia systems by the LAPSU$ hacking group. However, certificates are generally revoked by companies after they have been found to have been stolen, and Sophos’ discovery represents a step up in the methodology of attackers, as the drivers in use were, for all intents and purposes, seen as legitimate.

The Cuba ransomware group has previously claimed an attack on Montenegro’s government, and has been linked to a number of attacks by security researchers. The group’s exact origins are unknown, but some have suggested it could be Russia-backed due to observations of Russian on the group’s dark web site.

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023