The ALPHV or Blackcat ransomware group was found using signed malicious Windows kernel drivers to evade detection by security software during attacks.
According to experts at Trend Micro, the driver is a new version of the malware known as ‘POORTRY’ reported by Microsoft, Mandiant, Sophos, and SentinelOne last year.
The POORTRY malware is a Windows kernel driver signed using stolen keys belonging to legitimate accounts in Microsoft’s Windows Hardware Developer Program.
This malicious driver was used by the UNC3944 hacking group, also known as 0ktapus and Scattered Spider, to terminate security software running on a Windows device to evade detection.
As Windows kernel drivers run with the highest privileges in the operating system, they can be used to terminate almost any process.
Trend Micro says the ransomware actors attempted to use the Microsoft-signed POORTRY driver, but its detection rates were high following the publicity it got and after the code-signing keys were revoked.
So the hackers deployed an updated version of the POORTRY kernel driver signed using a stolen or leaked cross-signing certificate.
The new driver used by the BlackCat ransomware operation gives them more privileges on compromised machines and then stop processes relating to security agents.
Also, it may provide a loose link between the ransomware gang and the UNC3944/Scattered Spider hacking groups.
The experts noticed that the driver is still under development and testing since it is not structured well and some of its functions currently are not working.