Threat Research

WINTAPIX: A New Kernel Driver Targeting Countries in The Middle East | FortiGuard Labs

Securonix

Fortinet researchers uncovered a Windows kernel driver named WinTapix.sys that uses the Donut open-source loader to execute a .NET payload from memory, functioning as both a backdoor and a proxy with targeted activity in the Middle East, especially Saudi Arabia. The malware implements persistence via Windows services and registry keys, leverages an HTTP-based C2 channel, and can proxy or forward RDP connections for additional access.
#WinTapix #SaudiArabia

Keypoints

  • WinTapix.sys is a Windows kernel driver that uses Donut to load a memory-resident .NET payload for execution.
  • Variants include WinTapix.sys and SRVNET2.SYS, with different compilation timelines and VirusTotal uploads dating back to mid-2020 through 2022.
  • The driver loads in the kernel, injects an embedded shellcode into a target process, and the shellcode loads and executes an encrypted .NET payload.
  • The shellcode is hardcoded (not fully obfuscated) and targets a 32-bit Local System process, excluding a defined block list.
  • Persistence is achieved by creating registry keys and a Windows service, and Safe Boot is used to reinforce startup, with registry monitoring to reactivate the driver if removed.
  • The payload builds URL templates based on IIS characteristics to support backdoor and proxy functionality, including HTTP command handling and RDP configuration support.
  • Attribution points to an Iranian threat actor, with Saudi Arabia as the primary target and activity surges in 2022–2023; other affected countries include Jordan, Qatar, and UAE.

MITRE Techniques

  • [T1055] Process Injection – The shellcode is injected into a suitable target process using ZwOpenProcess(), ZwAllocateVirtualMemory(), and NtWriteVirtualMemory(), with the address of NtWriteVirtualMemory() recovered in runtime to hide function calls. “The address of NtWriteVirtualMemory() is recovered in runtime, helping to hide the function call from static analyzers.”
  • [T1543.003] Create or Modify System Process: Windows Service – The driver service is created for persistence, and a service startup path is used to ensure the driver runs. “The service for the driver is then created.”
  • [T1112] Modify Registry – Registry keys are created for persistence, including Safe Boot configurations, and monitored for changes. “All created registry keys are monitored using the ZwNotifyChangeKey().”
  • [T1059.003] Command and Scripting Interpreter: Command Shell – Command execution via decoded commands from HTTP requests using cmd /c. “If the incoming request contains the string ‘Jet’ or ‘Ver’ parameter, their values are base64-decoded and used to build a command using cmd /c .”
  • [T1071.001] Web Protocols – The backdoor uses an HTTP listener and handles incoming requests to execute actions or proxy data. “The list named ‘input2’ is used for the backdoor functionality. It starts an HTTP listener on these URLs…”
  • [T1021.001] Remote Services: RDP – The payload can parse RDP config and open a connection to a target RDP server to proxy it to the attacker. “Using this RDP data, it can open a connection to the target RPD server and proxy it to the threat actor.”

Indicators of Compromise

  • [Filename] context – WinTapix.sys, SRVNET2.SYS
  • [SHA256] context – f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d, 1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e, 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330, aae9c8bd9db4e0d48e35d9ab3b1a8c7933284dcbeb344809fed18349a9ec7407, 27a6c3f5c50c8813ca34ab3b0791c08817c803877665774954890884842973ed

Read more: https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries