• Sat. Oct 14th, 2023

Middle East Nations are the Target of the WinTapix Attack Campaign

Avatar photo

ByEsme Greene

Aug 9, 2023
Middle East Targeted in WinTapix Campaign
Esme Greene
Latest posts by Esme Greene (see all)

It makes use of a destructive driver named WinTapix.sys (or simply WinTapix), which has been loosely linked to an unidentified hacker from Iran.

WinTapix, as stated by Fortinet Fortiguard Labs, is mostly utilized as a loader for launching and distributing next-stage malware via shellcode. To create position-independent shellcodes ideal for program drilling assaults, this shellcode was built utilizing the open-source Donut project.

Both in February and March 2023 and again in August and September 2022, malware activity surged. The main targets were Saudi Arabia, Jordan, Qatar, and the United Arab Emirates, which are often chosen nations by a number of Iranian state-sponsored groups.

How exactly does WinTapix work?

To find its victims, WinTapix uses the Bring Your Own Vulnerable Driver (BYOVD) strategy. A rogue Windows kernel driver named WinTapix.sys has an unreliable signature. It relies on a reliable but weak driver for its operation. 

WinTapix is set up to inject extra shellcode into a suitable process with the right privileges when it is loaded to the kernel memory. A Microsoft IIS server-targeting.NET payload is then launched by this shellcode. 

The attacker may run commands, upload and download data, and establish a proxy connection between two destinations thanks to this.NET payload, which also provides a backdoor.

Ending remarks

Security researchers have taken notice of the harmful campaign due to the misuse of system drivers that are dependent on the Windows kernel. Users are advised to utilize Windows’ driver blocklist function right away to stop rogue drivers in order to stay safe.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.