A new malicious campaign has been targeting Middle East countries since at least May 2020. It uses a malicious driver, called WinTapix.sys (or simply WinTapix), which has been attributed to an unknown attacker from Iran, with low confidence.

The WinTapix campaign

According to Fortinet Fortiguard Labs, WinTapix is primarily used as a loader to load and deploy next-stage malware using a shellcode. 
  • This shellcode is developed using the open-source Donut project, allowing the creation of position-independent shellcodes suitable for process hollowing attacks.
  • The malware activity peaked in August and September 2022 and then again in February and March 2023.
  • The primary targets were Saudi Arabia, Jordan, Qatar, and the U.A.E., which are typical targets of several Iranian state-sponsored actors.

How does WinTapix operate?

WinTapix leverages the Bring Your Own Vulnerable Driver (BYOVD) method to target its victims. 
  • The malicious WinTapix.sys file, a Windows kernel driver, has an invalid signature. For its execution, it counts on some legitimate yet vulnerable driver. 
  • When loaded to the kernel memory, WinTapix is configured to inject additional shellcode into a suitable process with appropriate privileges.
  • This shellcode, in turn, runs an encrypted .NET payload designed to target Microsoft IIS servers. 
  • This .NET payload creates a backdoor and allows the attacker to execute commands, upload/download files, and establish a proxy connection between two endpoints.

Concluding notes

The malicious campaign has caught the attention of security researchers owing to the abuse of Windows kernel-based system drivers. To stay protected, users are suggested to immediately implement the driver blocklist feature in Windows to block malicious drivers.
Cyware Publisher

Publisher

Cyware