Subj : BlackCat ransomware found using malicious Windows kernels
To   : All
From : TechnologyDaily
Date : Tue May 23 2023 12:45:04

BlackCat ransomware found using malicious Windows kernels

Date:
Tue, 23 May 2023 11:21:24 +0000

Description:
An updated version of POORTRY spotted carrying the same functionalities.

FULL STORY
======================================================================

Ransomware operators known as BlackCat, or ALPHV, were seen using an updated 
version of a known malware , which allows them to elevate privileges on 
target endpoints and terminate any antivirus or endpoint security solutions 
the computer might have running. 

The news comes courtesy of Trend Micros researchers, who spotted the updated 
malware. 

As per the researchers, the malware is known as POORTRY. It was first 
discovered late last year, when researchers from Microsoft, Mandiant, Sophos, 
and SentinelOne, all saw POORTRY being used to disable antivirus programs, in 
preparation from the deployment of ransomware . Back then, it was found that 
POORTRY was a Windows kernel driver, signed with keys stolen from authentic 
Microsoft Windows Hardware Developer Program accounts. Attacking dozens of 
companies 

However, as the code-signing keys were soon revoked, and with the malware 
getting plenty of press coverage, most antivirus programs started detecting 
it, prompting the attackers to go for an update. Now, this new version is 
signed using a stolen, or leaked, cross-signing certificate, the researchers 
are saying. 

The goal is still the same - to elevate privileges on the target endpoint and 
terminate any processes related to antivirus or cybersecurity programs and 
systems. Read more 

> Clop ransomware may have infected even more victims than previously thought 


 > Saks Fifth Avenue becomes latest Clop ransomware victim 


 > Check out the best firewall tools right now 

Besides being used to terminate any system processes, the driver can also be 
used to delete specific file paths, force-copy and force-delete files, copy 
files, register and unregister processes, and even reboot the system. Its 
also worth mentioning that not all of these features work as intended, which 
lead the researchers to believe that the malware is still under development, 
or in a testing stage. 

The group that was using the original POORTRY malware was identified as 
UNC3944, also known as 0ktapus, or Scattered Spider. This new version is used 
by BlackCat (ALPHV). Although its hard to be conclusive about it, the 
researchers do hint that there might be a loose link between the two groups. 
These are the best endpoint protection tools right now 

Via: BleepingComputer



======================================================================
Link to news story:
https://www.techradar.com/news/blackcat-ransomware-found-using-malicious-windo
ws-kernels


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.