BlackCat ransomware takes control of protected computers via new kernel driver

A new kernel driver was discovered from a February 2023 BlackCat ransomware incident that leverages a separate user client executable as a way to control, pause and kill various processes on target endpoints of security agents deployed on protected computers.

In a May 22 blog post, Trend Micro researchers said they believe that the new kernel driver was an updated version that inherited the main functionality from samples disclosed in previous research in December 2022 by Mandiant, Sophos, and Sentinel One.

The three companies published a coordinated disclosure that malicious kernel drivers were being signed through several Microsoft hardware developer accounts. The joint researchers said these profiles had been used in a number of cyberattacks that included ransomware incidents. Microsoft subsequently revoked several Microsoft hardware developer accounts that were abused in these attacks.

Trend Micro’s researchers explained that malicious actors use different approaches to sign their malicious kernel drivers. In this case, the attackers tried to deploy the old driver disclosed by Mandiant, but because this driver had already been known and detected, the threat actors deployed another kernel driver signed by a stolen or leaked cross-signing certificate. The kernel driver typically gets used during the evasion phase, say the Trend researchers.

The recent activity of the BlackCat ransomware group signals a disturbing escalation in the cyber threat landscape, said Craig Jones, vice president of security operations at Ontinue. Jones said by exploiting signed kernel drivers, this raises the stakes in an ongoing high-stakes game of “digital cat and mouse” between cyber criminals and those tasked with thwarting their attempts.

“One of the intriguing aspects of this incident is the fact that the ransomware operators are using malicious kernel drivers signed through Microsoft’s portals or using stolen certificates,” said Jones. “This offers them privileged-level access to the systems they attack and lets them bypass security protocols. It also indicates a high level of sophistication and a solid understanding of Windows system operations. They are essentially used to manipulate and…