Iranian Hackers Using Windows Kernel Driver

Iranian threat hackers have frequently been attacking entities in the Middle East using a new Windows kernel driver, according to a report by researchers at Fortinet. A threat group identified by SentinelOne and known as Agrius, has been using this advanced tool to conduct espionage campaigns and gain unauthorised access to targeted systems.

Called Wintapix by Fortinet's Fortiguard Labs, this driver uses the Donut, a position-independent code that enables in-memory loading of payloads through shellcode, using process hollowing or thread hijacking.

Wintapix appears to have been active since at least mid-2020, likely developed by the Agrius threat actor and primarily used in attacks against entities in Saudi Arabia, Jordan, Qatar, and the United Arab Emirates. Microsoft have separately reported on Iranian state-backed hackers have joined in ongoing attacket targeting vulnerable PaperCut MF/NG print management servers.

Fortinet says that the Wintapix driver was likely used in some major campaigns in August and September 2022 and in February and March 2023, albeit it remained under the radar to date. Observed samples have compilation dates of May 2020 and June 2021, but were seen in the wild much later.

“Since Iranian threat actors are known to exploit Exchange servers to deploy additional malware, it is also possible that this driver has been employed alongside Exchange attacks. To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities,” Fortinet reports.

The kernel driver allows the hackers to bypass security mechanisms and execute malicious code, enabling them to carry out various malicious activities while remaining undetected.

The attacks primarily target organisations in the telecommunications, transport, industrial and government sectors, highlighting the ongoing cyber threats faced by entities in the Middle East and the need for robust security measures to defend against such sophisticated attacks.

Fortinet:      SentinelOne:    Oodaloop:    Security Week:     Hacker News:      HackDojo:     

Bleeping Computer:    CyberWire:  

You Might Also Read: 

Iranian Hacking Group Deploys Customised Spyware:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« A New Approach To Cyber Security Helps Resist Extortion
Advanced Phishing Attacks Tripled In 2022 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

AdNovum Informatik

AdNovum Informatik

AdNovum Informatik provides a full set of IT services, ranging from consulting, the conception and implementation of customized business and security solutions to maintenance and support.

DataLocker

DataLocker

DataLocker offers both hardware based external storage and software based cloud storage encryption solutions.

Exida

Exida

Exida is a leading product certification and knowledge company specializing in industrial automation system safety, security, and availability.

OneVisage

OneVisage

Our award-winning 3DAuth digital identity platform turns any consumer mobile device into a real-time 3D facial scanner that securely authenticates the user in seconds.

Acalvio Technologies

Acalvio Technologies

Acalvio provides Advanced Threat Defense (ATD) solutions to detect, engage and respond to malicious activity inside the perimeter.

ngCERT

ngCERT

ngCERT is the National Computer Emergency Response Team for Nigeria.

Verodin

Verodin

Verodin is a business platform that provides organizations with the evidence needed to measure, manage and improve their cybersecurity effectiveness.

Cloudrise

Cloudrise

Cloudrise are elevating cloud security, data protection, and privacy through assessment, technology enablement, and process automation.

Enclave Networks

Enclave Networks

Our mission is to give IT professionals a simple way to rapidly build secure connectivity between any application, computer system, device or infrastructure - regardless of the underlying network.

BCN Group

BCN Group

BCN Group is an agile IT solutions provider. We are experts in delivering and managing business-critical technology solutions.

Cyber Lockout

Cyber Lockout

Comprehensive ransomware insurance and preventative cybersecurity technology solution, working together to help protect businesses 24/7/365.

Aryaka

Aryaka

Aryaka’s SmartServices offer connectivity, application acceleration, security, cloud networking and insights leveraging global orchestration and provisioning.

Astrix Security

Astrix Security

Astrix enables security teams to instantly see through the fog of connects and detect redundant, misconfigured and malicious third-party exposure to their critical systems.

Dion Training Solutions

Dion Training Solutions

Dion Training Solutions offer comprehensive training in areas such as project management, cybersecurity, agile methodologies, and IT service management.

Brightworks Group

Brightworks Group

BrightWorks Group offer comprehensive technology operations and security operations consulting services, tailored to meet your specific needs.

Cyex

Cyex

Cyex helps people to become cyber wise. We enable our clients to find, track and improve cyber awareness in one place.