Malicious drivers such as WinTapix.sys and ktgn.sys pose a serious threat to cybersecurity, as they can evade security measures and gain access to the target system. These drivers, which run within the kernel memory, are capable of altering critical security mechanisms and executing arbitrary code with the highest privileges. To protect against these drivers, Microsoft has implemented the Enforce Signature Driver, which ensures that only Microsoft-signed drivers can be loaded into the system, as well as driver blocking rules to protect against known vulnerable drivers.
Additionally, malicious drivers are often used in conjunction with Exchange server attacks by Iranian threat actors. In one such case, the WinTapix.sys driver was configured to inject an embedded shell code into an appropriate user mode process which, in turn, executed an encrypted .NET payload. The driver also established persistence through modifications to the Windows Registry that allowed it to load even when the machine was booted in Safe Mode.
The ALPHV ransomware group has also been observed leveraging a malicious signed driver, ktgn.sys, to weaken security defenses and remain undetected for extended periods of time. This driver is an updated version of POORTRY, which is signed with a stolen or leaked cross-certificate.
In conclusion, malicious drivers are a powerful tool for threat actors, offering a stealthy way to infiltrate deeper into target systems and maintain persistence. Therefore, it is important for organizations to take measures to protect against malicious drivers, such as implementing the Enforce Signature Driver and driver blocking rules.
Source: Hackernews
To mitigate these potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.