Trend Micro details a February 2023 BlackCat ransomware incident that leveraged a signed kernel driver for defense evasion, enabling attackers to target security tools and processes. The report also highlights how attackers obtained or abused code-signing certificates, obfuscated the driver, and exposed an IOCTL interface to control driver actions. #BlackCat #ktgnSys #Safengine #BopSoft #YIZENG #Thawte #VeriSign #CodeSigning #SignedKernelDriver
Keypoints
- The February 2023 BlackCat attack used a signed kernel driver (ktgn.sys) to aid defense evasion and control over target endpoints.
- attackers attempted to reuse the previously disclosed driver signed by Microsoft and also signed new kernel drivers with stolen/cross-signing certificates; some variants show revoked signers (BopSoft, YI ZENG).
- The kernel driver is obfuscated with Safengine Protector to hinder static analysis, and a user-mode client (tjr.exe) interacts with it via a dedicated IOCTL interface.
- The signed driver can disable or kill security tooling by issuing IOCTL commands, including Kill Process, Delete File, and Force Delete File, to subvert defenses.
- The driver cannot be unloaded via normal means; unloading requires registry key changes and a system restart; a symbolic link (.keHeperDriverLink) is used for communication with the user-mode client (single connection).
- Trend Micro recommends protecting code-signing certificates, enabling MFA, application allowlists, and a multilayer security framework to mitigate such kernel-level threats.
MITRE Techniques
- [T1218] Signed Binary Proxy Execution – The new capability involves the use of a signed kernel driver for evasion. ‘the use of a signed kernel driver for evasion’
- [T1116] Code Signing – Malicious actors sign kernel drivers using leaked or stolen certificates or cross-signing certificates. ‘Malicious actors use different approaches to sign their malicious kernel drivers: Typically by abusing Microsoft signing portals, using leaked and stolen certificates, or using underground services.’
- [T1027] Obfuscated/Compressed Files and Information – The driver is obfuscated using Safengine Protector v2.4.0.0, hindering analysis. ‘the driver is obfuscated using Safengine Protector v2.4.0.0 tool, which renders static analysis techniques unreliable.’
- [T1014] Rootkit – Rootkits are used to hide malicious code from security tools and impair defenses. ‘Rootkits to hide malicious code from security tools, impair defenses, and fly under the radar.’
- [T1547] Boot or Logon Autostart Execution – The driver uses a startup mechanism (start value = System) to persist across reboots. ‘start value = System (to start when the system restarts)’.
- [T1055] Process Injection – The kernel driver creates a kernel thread in the target process context to perform actions such as terminating processes. ‘creates a kernel thread in the target process context’.
- [T1070.004] File Deletion – IOCTLs delete files as part of defense evasion. ‘Delete File’ / ‘Force Delete File’ via IOCTL codes.
Indicators of Compromise
- [Hash] 994e3f5dd082f5d82f9cc84108a60d359910ba79, f6793243ad20359d8be40d3accac168a15a327fb – Driver variants (SHA256); signed by different signers and later revoked
- [File] ktgn.sys – Signed kernel driver used in the February BlackCat attacks
- [Process] tjr.exe – User-agent process that drops the driver; interacts with the driver via IOCTLs
- [Path] C:%User%AppDataLocalTempKtgn.sys – Drop location for the kernel driver
- [Link] .keHeperDriverLink – A symbolic link allowing the user-mode client to communicate with the driver (single connection)
- [IOCTL] 222088h Activate Driver; 22208Ch Deactivate Driver; 222094h Kill Process; 222184h Delete File; 222188h Force Delete File; 22218Ch Copy File; 222190h Force Copy File; 2221C8h Register Process/Thread Object notification; 2221C4h Unregister Process/Thread Object notification; 222264h Reboot the system – IOCTLs used to control driver actions