BlackCat has always been a sophisticated group with advanced tactics and techniques for evading defenses as well leveraging new platforms for development. BlackCat was one of the first groups to use Rust for their ransomware. They also employ a triple extortion technique (Encryption, Data exfiltration, and DDoS attacks) that puts them in a different category from the other Ransomware as a Service (RaaS) groups. According to FBI reports, the group has connections with other, now gone, RaaS services. To sum up the summary, BlackCat is an experienced, sophisticated group that represents a danger to any organization.
TrendMicro recently released a document showing this type of development effort. In late 2022 a group of security companies released coordinated disclosure showing that kernel drivers which had been signed using several Microsoft hardware developer accounts were being used in malicious activity. The accounts were certified by the Microsoft Hardware Developer Program which would indicate a supply chain attack to compromise those accounts or at least their singing certificates. Microsoft has since revoked the accounts that were used at the time. However, in an incident which took place in February of this year (2023) TrendMicro observed BlackCat using an updated version of a signed driver (from previously disclosed samples) in a defense evasion technique to deploy ransomware. When this driver was detected, BlackCat then switched to a cross-signing certificate they had access to.
The use of signed kernel drivers, according to the TrendMicro report, is primarily to evade detection during the initial deployment phase (more than 50%). These drivers look to disable processes and services that are linked to anti-malware applications, EDR/MDR/XDR and other security tools to make deployment more likely. Threat groups generally acquire stollen/leaked certificates, or they try to get a legitimate certificate via a front development group. It is not unheard of for threat groups to become sophisticated enough that they have “legitimate” branches like development groups so they can leverage this. Either way, once they have a valid certificate, they use that to compile their malicious code. The hope is that they can slip the signed driver through detection by leveraging a blanket safelist for anything signed by a Microsoft trusted certificate (as many EDRs do).
The driver observed in the February attack was, fortunately, detected due to the use of an already blocked signing certificate. This meant they were able to identify and monitor the new driver to see what it was up to. They noted that the driver in question was resistant to static analysis making it more difficult to breakdown. This protection would also prevent some on-write protections which look to analysis a file as it is written to disk. TrendMirco was able to analyze the file by loading it and observing the calls and functions. They cataloged each of the IOCTL (Input and Output Control) code calls. Once their analysis was complete, TrendMicro concluded that this particular driver was still under development as many of the function calls did not seem to be working properly. While this is a good thing, it does show how dangerous these organizations are.
Recent developments in the threat landscape show an organized and coordinated approach being used by threat groups. The ecosystem and support available to these groups is impressive. We see supply chain attacks to inject malicious code into known popular repositories, groups that are being targeted specifically for certificates, and keys (thing the MSI breach, and development teams that have the resources to dive into Windows, MacOS, and Linux deep enough to successfully exploit low-level functions which help them evade detection and response.
Security teams are advised to ensure code signing enforcement is enabled, that they add the known IOC for this new attack into a block list, add detection and blocking for new drivers and software that do not meet age requirements, along with ensuring that no unauthorized software is allowed in the environment. This is on top of any existing EDR/MDR/XDR that might be in use. Stay safe out there.
Read the full TrendMicro report ()