Iranian Hackers Using Windows Kernel Driver

Uploaded on 2023-07-12 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW

Iranian threat hackers have frequently been attacking entities in the Middle East using a new Windows kernel driver, according to a report by researchers at Fortinet. A threat group identified by SentinelOne and known as Agrius, has been using this advanced tool to conduct espionage campaigns and gain unauthorised access to targeted systems.

Called Wintapix by Fortinet's Fortiguard Labs, this driver uses the Donut, a position-independent code that enables in-memory loading of payloads through shellcode, using process hollowing or thread hijacking.

Wintapix appears to have been active since at least mid-2020, likely developed by the Agrius threat actor and primarily used in attacks against entities in Saudi Arabia, Jordan, Qatar, and the United Arab Emirates. Microsoft have separately reported on Iranian state-backed hackers have joined in ongoing attacket targeting vulnerable PaperCut MF/NG print management servers.

Fortinet says that the Wintapix driver was likely used in some major campaigns in August and September 2022 and in February and March 2023, albeit it remained under the radar to date. Observed samples have compilation dates of May 2020 and June 2021, but were seen in the wild much later.

“Since Iranian threat actors are known to exploit Exchange servers to deploy additional malware, it is also possible that this driver has been employed alongside Exchange attacks. To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities,” Fortinet reports.

The kernel driver allows the hackers to bypass security mechanisms and execute malicious code, enabling them to carry out various malicious activities while remaining undetected.

The attacks primarily target organisations in the telecommunications, transport, industrial and government sectors, highlighting the ongoing cyber threats faced by entities in the Middle East and the need for robust security measures to defend against such sophisticated attacks.

Fortinet:      SentinelOne:    Oodaloop:    Security Week:     Hacker News:      HackDojo:     

Bleeping Computer:    CyberWire:  

You Might Also Read: 

Iranian Hacking Group Deploys Customised Spyware:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« A New Approach To Cyber Security Helps Resist Extortion
Advanced Phishing Attacks Tripled In 2022 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Foundation for Strategic Research (FRS)

Foundation for Strategic Research (FRS)

The Foundation for Strategic Research is France's main independent think tank on strategic, defense and security issues. Cyber security is covered as part of the study areas.

Identiv

Identiv

Identiv is a global security technology company that establishes trust in the connected world, including premises, information and everyday items.

Q-CERT

Q-CERT

Q-CERT is the National Computer Security Emergency Team of Qatar.

Avatier

Avatier

Avatier identity management software products automate identity access management, user provisioning and IT governance to ensure information security and compliance.

SEC Consult

SEC Consult

SEC Consult is a leading European consultancy for application security services and information security.

SysTools

SysTools

SysTools provides a range of services including data recovery, digital forensics, and cloud backup solutions.

Applied Risk

Applied Risk

Applied Risk is an established leader in Industrial Control Systems security, focused on critical infrastructure security and combating security breaches that pose a significant threat.

Shinobi Cyber

Shinobi Cyber

Shinobi Defense System is an integrated security system that absolutely secures information with smart, automatic encryption and protects your endpoints by stopping any unauthorized actions.

ReliaQuest

ReliaQuest

ReliaQuest’s GreyMatter solution connects existing technology, people, and process – then equips security teams with unified, actionable insights across their entire environment.

ISMS Accreditation Center (ISMS-AC)

ISMS Accreditation Center (ISMS-AC)

ISMS-AC is the national accreditation body for Japan. The directory of members provides details of organisations offering certification services for ISO 27001.

Gallarus Industry Solutions

Gallarus Industry Solutions

Gallarus leads innovation within industrial Manufacturing, Production and Management Systems, including Cyber Security solutions specifically developed to protect against the latest cyber criminality.

Cord3

Cord3

Cord3 delivers data protection, even from trusted administrators – or hackers posing as administrators – with high privilege.

Soteria

Soteria

Soteria is a global leader in the development, integration and implementation of advanced cyber security, intelligence and IT solutions, delivering complete end-to-end solutions.

TempoCap

TempoCap

TempoCap is a European growth-stage technology fund with offices in London and Berlin. We invest across a variety of high- growth sectors including cybersecurity.

Lodestone

Lodestone

Lodestone partners with clients to help them mitigate business and reputational risk, through our human-based, approach to cyber security, digital forensics and incident response.

Netsurit

Netsurit

Managed IT, Cloud, and Security Services. Netsurit is Your IT Innovation and Digital Transformation Accelerator.