Iranian Hackers Using Windows Kernel Driver

Uploaded on 2023-07-12 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW

Iranian threat hackers have frequently been attacking entities in the Middle East using a new Windows kernel driver, according to a report by researchers at Fortinet. A threat group identified by SentinelOne and known as Agrius, has been using this advanced tool to conduct espionage campaigns and gain unauthorised access to targeted systems.

Called Wintapix by Fortinet's Fortiguard Labs, this driver uses the Donut, a position-independent code that enables in-memory loading of payloads through shellcode, using process hollowing or thread hijacking.

Wintapix appears to have been active since at least mid-2020, likely developed by the Agrius threat actor and primarily used in attacks against entities in Saudi Arabia, Jordan, Qatar, and the United Arab Emirates. Microsoft have separately reported on Iranian state-backed hackers have joined in ongoing attacket targeting vulnerable PaperCut MF/NG print management servers.

Fortinet says that the Wintapix driver was likely used in some major campaigns in August and September 2022 and in February and March 2023, albeit it remained under the radar to date. Observed samples have compilation dates of May 2020 and June 2021, but were seen in the wild much later.

“Since Iranian threat actors are known to exploit Exchange servers to deploy additional malware, it is also possible that this driver has been employed alongside Exchange attacks. To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities,” Fortinet reports.

The kernel driver allows the hackers to bypass security mechanisms and execute malicious code, enabling them to carry out various malicious activities while remaining undetected.

The attacks primarily target organisations in the telecommunications, transport, industrial and government sectors, highlighting the ongoing cyber threats faced by entities in the Middle East and the need for robust security measures to defend against such sophisticated attacks.

Fortinet:      SentinelOne:    Oodaloop:    Security Week:     Hacker News:      HackDojo:     

Bleeping Computer:    CyberWire:  

You Might Also Read: 

Iranian Hacking Group Deploys Customised Spyware:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« A New Approach To Cyber Security Helps Resist Extortion
Advanced Phishing Attacks Tripled In 2022 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

Join our experts as they give the insights you need to power your Security Information and Event Management (SIEM).

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) - University of Kent

Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) - University of Kent

KirCCS harnesses expertise across Kent University to address current and potential cyber security challenges.

Cisco Talos

Cisco Talos

Talos is an industry-leading threat intelligence solution that protects your organization’s people, data and infrastructure from active adversaries.

Data Resolve Technologies

Data Resolve Technologies

Data Resolve offer a mechanism through which customers can detect and tackle various kinds of sensitive activities pertaining to data loss and data theft.

Neoteric Networks

Neoteric Networks

We deliver a no nonsense procedure to implementing technology. The technology selection process ensures that all customers enjoy an engineered methodology implementing technology.

Cryptsoft

Cryptsoft

Cryptsoft provides key management and security software development toolkits based around open standards such as OASIS KMIP and PKCS#11.

ACPL Systems

ACPL Systems

We offer leading-edge technology solutions, expert professional and managed services and proven methodologies to ensure your data is protected and business risks are reduced.

Cycode

Cycode

Cycode is the industry’s first source code control, detection, and response platform.

MythX

MythX

MythX is the premier security analysis service for Ethereum smart contracts.

Blockchain Reactor

Blockchain Reactor

Blockchain Reactor is a blockchain consultancy and implementation company providing cutting-edge blockchain solutions for start-ups and enterprises.

Forum Systems

Forum Systems

Forum Systems is a global leader in API Security Management with industry-certified, patented, and proven products deployed in the most rigorous and demanding customer environments.

Secmation

Secmation

Secmation are an agile engineering services firm providing advanced DoD level security design and consultation services for both commercial and defense hardware and software applications.

European Center for CyberSecurity in Aviation (ECCSA)

European Center for CyberSecurity in Aviation (ECCSA)

ECCSA is a cooperative partnership within the aviation community to better understand emerging cybersecurity risks in aviation and provide collective support in dealing with cybersecurity incidents.

CyberArmor

CyberArmor

Cyber Armor defend everyday IT and OT systems, from government agencies to critical infrastructure, from system integrators to small industries.

Feroot Security

Feroot Security

Feroot Security secures client-side web applications so that businesses can deliver a flawless user experience to their customers. Our products help organizations protect their client-side surface.

CyberconIQ

CyberconIQ

CyberconIQ provide an integrated Human Defense Platform that reduces the probability and/or the cost of a cybersecurity breach by measurably improving our clients risk posture and compliance culture.

Resilience Cyber insurance

Resilience Cyber insurance

Resilience helps to improve cyber resilience by connecting cyber insurance coverage with advanced cybersecurity visibility and a shared plan to reinforce great cyber hygiene.