Cybercriminals are increasingly exploiting legitimate Windows driver signing processes to deploy sophisticated kernel-level malware. A new investigation has uncovered how threat actors are systematically abusing Microsoft’s Windows Hardware Compatibility Program. They use this program to legitimize malicious kernel drivers, effectively bypassing traditional security defenses and gaining system control. Since 2020, security researchers have identified more than 620 malicious drivers and over eighty compromised certificates. This scale represents a significant escalation in kernel-level attacks, with many drivers functioning as loaders for secondary payloads.
The research has exposed a thriving underground economy that exists for code-signing certificates on many criminal forums. Extended Validation (EV) certificates are selling for prices ranging from two thousand to sixty-five hundred dollars. These valuable certificates, which require thorough validation of a company’s legal status, are being obtained through fraud. They are obtained through fraudulent business registrations rather than through traditional certificate theft from legitimate companies.
This underground market has shifted from primarily selling stolen certificates to providing freshly issued ones using fake identities.
Modern kernel loaders represent a new layer of obfuscation in these sophisticated and dangerous types of attacks. These first-stage drivers are specifically designed to load secondary components, including both unsigned and signed drivers. The POORTRY malware family has demonstrated this evolution, transitioning from a simple EDR deactivator to a wiper. This malware is used by major ransomware groups including BlackCat, Cuba, and the notorious LockBit ransomware operation.
The analysis reveals a significant concentration of malicious activity that originates from Chinese threat actors.
In response to this threat, Microsoft has implemented several important defensive measures to protect its many users. The company created the Microsoft Vulnerable Driver Blocklist, which is enabled by default on Windows 11 systems. Microsoft has also revoked numerous certificates and has suspended developer accounts that were used in malicious campaigns. However, the research indicates that much stronger validation mechanisms are essential to combat this growing security threat. This includes requiring more rigorous verification procedures for EV certificate issuance, including potential physical presence checks.
Reference:
