Hackers Use Stolen Certificates to Bypass Endpoint Detection and Response
A Russian-speaking ransomware group has been deploying a malicious Windows PE driver that imitates a legitimate CrowdStrike Falcon driver to bypass endpoint security, researchers warn.
“Bring Your Own Vulnerable Driver” is a well-trod method hackers use to disable security tools and the Medusa ransomware operation has apparently taken to it since last August, researchers from Elastic said.
Samples found of the driver on VirusTotal, named smul.sys, were signed likely using stolen, revoked certificates from Chinese companies. Medusa has been active since mid-2021 and recently has been on the cutting edge of shakedown tactics through its use of a triple extortion scam meant to coerce victims into paying for a decryptor twice over, the U.S. federal government warned earlier this month.
The driver, first reported by ConnectWise in another campaign, was deployed alongside a Heartcrypt-packed loader.
A key enabler of this campaign’s stealth is Medusa operators’ use of stolen digital certificates from companies. Researchers identified several compromised certificates, including those from Foshan Gaoming Kedeyu Insulation Materials, Changsha Hengxiang Information Technology and Shenzhen Yundian Technology. Certificate theft often goes undetected, leaving organizations susceptible to unknowingly trusting malicious files.
After execution, the driver creates a device with the path and a link. It initializes by loading kernel modules and registering pre-operation callbacks using the ObRegisterCallback, allowing hackers to detect and prevent security tools from accessing protected processes.
The malware iterates through process IDs, stripping access handles from running processes and blocking security tools from inspecting or terminating the malware’s own processes. It registers callbacks to detect when security tools attempt to open handles to its protected threads and denies access, effectively neutralizing EDR solutions.
The campaign includes an extensive list of I/O control handlers that provide a range of operations to attackers, including terminating processes, deleting files and modifying system components. It can remove security hooks by restoring original major functions of NTFS and PnP drivers, preventing security products from monitoring system activity.
It can also detach minifilter devices, blinding security tools that rely on file system monitoring. By executing I/O request packet manipulation, the driver bypasses standard APIs for file operations, allowing it to stealthily create, copy and delete files without triggering detection.
The malware can reboot the system using the undocumented HalReturnToFirmware function, effectively wiping traces of its activity.