- Microsoft IIS Servers Targeted by Lazarus - August 18, 2023
- AI-Powered Hacker Threats - August 18, 2023
- Attacks Against Ukraine and Poland Continue to Use the PicassoLoader Malware - August 18, 2023
It makes use of a destructive driver named WinTapix.sys (or simply WinTapix), which has been loosely linked to an unidentified hacker from Iran.
WinTapix, as stated by Fortinet Fortiguard Labs, is mostly utilized as a loader for launching and distributing next-stage malware via shellcode. To create position-independent shellcodes ideal for program drilling assaults, this shellcode was built utilizing the open-source Donut project.
Both in February and March 2023 and again in August and September 2022, malware activity surged. The main targets were Saudi Arabia, Jordan, Qatar, and the United Arab Emirates, which are often chosen nations by a number of Iranian state-sponsored groups.
How exactly does WinTapix work?
To find its victims, WinTapix uses the Bring Your Own Vulnerable Driver (BYOVD) strategy. A rogue Windows kernel driver named WinTapix.sys has an unreliable signature. It relies on a reliable but weak driver for its operation.
WinTapix is set up to inject extra shellcode into a suitable process with the right privileges when it is loaded to the kernel memory. A Microsoft IIS server-targeting.NET payload is then launched by this shellcode.
The attacker may run commands, upload and download data, and establish a proxy connection between two destinations thanks to this.NET payload, which also provides a backdoor.
Security researchers have taken notice of the harmful campaign due to the misuse of system drivers that are dependent on the Windows kernel. Users are advised to utilize Windows’ driver blocklist function right away to stop rogue drivers in order to stay safe.