Iranian Hackers Using Windows Kernel Driver

Iranian threat hackers have frequently been attacking entities in the Middle East using a new Windows kernel driver, according to a report by researchers at Fortinet. A threat group identified by SentinelOne and known as Agrius, has been using this advanced tool to conduct espionage campaigns and gain unauthorised access to targeted systems.

Called Wintapix by Fortinet's Fortiguard Labs, this driver uses the Donut, a position-independent code that enables in-memory loading of payloads through shellcode, using process hollowing or thread hijacking.

Wintapix appears to have been active since at least mid-2020, likely developed by the Agrius threat actor and primarily used in attacks against entities in Saudi Arabia, Jordan, Qatar, and the United Arab Emirates. Microsoft have separately reported on Iranian state-backed hackers have joined in ongoing attacket targeting vulnerable PaperCut MF/NG print management servers.

Fortinet says that the Wintapix driver was likely used in some major campaigns in August and September 2022 and in February and March 2023, albeit it remained under the radar to date. Observed samples have compilation dates of May 2020 and June 2021, but were seen in the wild much later.

“Since Iranian threat actors are known to exploit Exchange servers to deploy additional malware, it is also possible that this driver has been employed alongside Exchange attacks. To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities,” Fortinet reports.

The kernel driver allows the hackers to bypass security mechanisms and execute malicious code, enabling them to carry out various malicious activities while remaining undetected.

The attacks primarily target organisations in the telecommunications, transport, industrial and government sectors, highlighting the ongoing cyber threats faced by entities in the Middle East and the need for robust security measures to defend against such sophisticated attacks.

Fortinet:      SentinelOne:    Oodaloop:    Security Week:     Hacker News:      HackDojo:     

Bleeping Computer:    CyberWire:  

You Might Also Read: 

Iranian Hacking Group Deploys Customised Spyware:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« A New Approach To Cyber Security Helps Resist Extortion
Advanced Phishing Attacks Tripled In 2022 »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Technology Association of Georgia (TAG)

Technology Association of Georgia (TAG)

TAG's mission is to educate, promote, influence and unite Georgia's technology community to stimulate and enhance Georgia's tech-based economy.

Cloudbric

Cloudbric

Cloudbric is a cloud-based web security service, offering award-winning WAF, DDoS protection, and SSL, all in a full-service package.

CyberCrowd

CyberCrowd

CyberCrowd is a cyber security specialist offering technical services, cyber security assessments, guidance and security thought leadership.

Igloo Security

Igloo Security

Igloo Security is a leader and pioneer in SIEM (Security Information & Event Management), PSIM (Physical Security Information Management) and MSS (Managed Security Services).

Sungard Availability Services (Sungard AS)

Sungard Availability Services (Sungard AS)

Sungard AS partners with customers around the globe to understand their unique business needs and provide production and recovery services tailored to their requirements.

Blaze Information Security

Blaze Information Security

Blaze Information Security is a privately held, independent information security firm born from years of combined experience and international presence.

Avertium

Avertium

Avertium is the managed security and consulting provider that companies turn to when they want more than check-the-box cybersecurity.

CounterFind

CounterFind

CounterFind is turnkey technology that allows brands to find and remove counterfeit and infringing merchandise from online marketplaces and social media sites.

MainNerve

MainNerve

MainNerve helps secure networks, applications, people, and facilities… enabling businesses to reduce risk and increase their cybersecurity posture.

Open Source Security Foundation (OpenSSF)

Open Source Security Foundation (OpenSSF)

OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

Gen Digital

Gen Digital

At Gen™, our mission is to create technology solutions for people to take full advantage of the digital world, safely, privately, and confidently – so together, we can build a better tomorrow.

HCS

HCS

HCS is an IT Company and Telecoms provider with an experienced team who are dedicated to ensuring our clients business systems are protected.

Incode

Incode

Incode is the leading provider of world-class identity solutions that is reinventing the way humans authenticate and verify their identities online.

Mother Technologies

Mother Technologies

From Datacentre to Desktop, Mother Technologies has been delivering IT Support, Telecoms, Cybersecurity and Connectivity services to businesses across Scotland and beyond since 2002.

SysGroup

SysGroup

SysGroup is an award-winning managed IT services, cloud hosting, and IT consultancy provider.

Coana

Coana

Coana helps software teams tackle the flood of alerts from traditional SCA tools. Using advanced reachability analysis, Coana cuts false alerts by over 80%, freeing up significant engineering time.