BlackCat Ransomware affiliate uses signed kernel driver to evade detection

BlackCat Ransomware affiliate uses signed kernel driver to evade detection

Experts spotted the ALPHV/BlackCat ransomware group using signed malicious Windows kernel drivers to evade detection.


Trend Micro researchers shared details about ALPHV/BlackCat ransomware incident that took place on February 2023. A BlackCat affiliate employed signed malicious Windows kernel drivers to evade detection.


Experts believe the driver is a new version of the malware reported in December 2022 by MandiantSophos and Sentinel One, via a coordinated disclosure.

The attackers attempted to deploy the driver (ktgn.sys) previously analyzed by Mandiant, which is signed through Microsoft signing portals.




The use of a Windows kernel driver, which runs with the highest privileges in the OS, allows attackers to kill any process associated with defense products.


The researchers pointed out that even if the certificate that was used to sign the ktgn.sys driver has been revoked, the driver will still load on 64-bit Windows systems with enforced signing policies.


The kernel driver employed in the attack exposes an IOCTL interface that allows the user Agent tjr.exe to issue commands that the driver will execute with kernel privileges.


“The User Agent tjr.exe, which is protected via a virtual machine, drops the kernel driver to the user temporary directory C:\%User%AppDataLocalTempKtgn.sys. It then installs the dropped driver with the name ktgn and the start value = System (to start when the system r ..

Support the originator by clicking the read the rest link below.