SCATTERED SPIDER attempted a Bring-Your-Own-Vulnerable-Driver (BYOVD) operation to load a kernel driver via CVE-2015-2291 in the Intel Ethernet Diagnostics driver (iqvw64.sys) to gain kernel access and persistence. CrowdStrike detected and blocked the attempt, noted the actor’s use of signed drivers and attempts to bypass competing endpoint tools, and provided defense-in-depth mitigations and policy recommendations.
Keypoints
- SCATTERED SPIDER targeted telco and BPO sectors with the objective of accessing mobile carrier networks.
- Falcon prevented a novel BYOVD-driven kernel-driver deployment leveraging CVE-2015-2291 in the Intel Ethernet diagnostics driver (iqvw64.sys).
- The actor uses BYOVD to bypass Windows kernel protections and leverage signed drivers, with tools like KDMapper enabling non-signed driver mapping.
- The actor attempted to bypass other endpoint tools (Microsoft Defender for Endpoint, Cortex XDR, SentinelOne) via traditional registry-based evasion techniques.
- Malicious drivers are signed with stolen and test certificates, targeting the Falcon sensor and using trampoline code to subvert security controls.
- CrowdStrike provides prevention and hardening recommendations, including CVE-2015-2291 patching and enabling memory-integrity-based protections.
MITRE Techniques
- [T1566] Phishing – “SCATTERED SPIDER (aka Roasted 0ktapus, UNC3944) leverages a combination of credential phishing and social engineering to capture one-time-password (OTP) codes or overwhelms targets using multifactor authentication (MFA) notification fatigue tactics.”‘
- [T1218] Signed Binary Proxy Execution – “miscreants attempt to deploy a malicious kernel driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver.”‘
- [T1112] Modify Registry – “bypass other endpoint tools including Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR and SentinelOne using more traditional defense evasion techniques targeting Windows registry hives.”‘
- [T1068] Exploitation for Privilege Escalation – “the driver is designed to use the privileged driver space provided by the vulnerable Intel driver to overwrite specific routines in the CrowdStrike Falcon sensor driver with adversary-created trampoline code.”‘
- [T1036] Masquerading – “The file is signed using a certificate with the following parameters… issued to: Global Software, LLC… This sample is signed using a certificate… The same certificate has been observed signing other malicious files dating back to at least 2018.”‘
- [T1057] Process Discovery – “The driver walks the list of loaded kernel modules, searching for csagent.sys (the CrowdStrike Falcon kernel component)…”‘
Indicators of Compromise
- [Hash] kernel-driver samples – b6e82a4e6d8b715588bf4252f896e40b766ef981d941d0968f29a3a444f68fef, e23283e75ed2bdabf6c703236f5518b4ca37d32f78d3d65b073496c12c643cfe, and 2 more hashes
- [File] iqvw64.sys – malicious kernel driver loaded via BYOVD
- [File] csagent.sys – CrowdStrike Falcon kernel component targeted by the driver
- [Certificate] Issued to: Global Software, LLC; serial: 31 11 00 fb 8d ee 5e 09 37 6b 69 a8 f6 23 e0 ee; valid from: 2018-05-14; valid to: 2021-06-18
- [Certificate] Issued to: WDKTestCert guid0,133162475712847553; serial: 23 43 9d 9d d3 2a a7 b2 4b bb 6e 31 64 fb 47 53; valid from: 2022-12-23; valid to: 2032-12-23