Businesses in the Middle East faced a series of targeted attacks over the past few years, with an open source tool used by threat actors as a kernel driver.
Researchers at Fortinet found a sample of the so-called Donut tool while monitoring suspicious executables that were using open source tools. In particular, this open source shellcode-generation tool, along with a variant of the Wintapix driver, were discovered to have been used in targeted cyberattacks on Saudi Arabia and other Middle East nations.
Fortinet researchers Geri Revay and Hossein Jazi said in a post on their research that they believe this driver has been active in the wild since at least mid-2020, not reported until now, and used over the past few years in several campaigns.
Specifically, Donut produces x86 or x64 shellcode payloads from .NET Assemblies, and this shellcode can be injected into an arbitrary Windows process for an in-memory execution. In this attack, Wintapix is loaded into the kernel, where an embedded shellcode is injected into a suitable process local system privilege, and then loads and executes an encrypted .NET payload.
One sample the Fortinet researchers captured was uploaded to Virus Total in February 2023, but had been compiled in May 2020. Another variant of this driver with the same name was compiled around that time as well but was uploaded to Virus Total in September 2022.
Cyberattack Spikes Against Saudi Arabia Targets?
Fortinet's telemetry shows a noticeable increase in the number of lookups — or spikes in activity — for this driver in August and September 2022, and again in February and March 2023. This may indicate that the threat actor behind the driver was operating major campaigns on these dates. In fact, 65% of the lookups for the driver were from Saudi Arabia, indicating it was a primary target, according to the research.
Jazi confirms that other malware families using similar attack vectors (i.e., kernel drivers) have been observed, but this was a detection of a new malicious driver.
"It has new functionalities such as targeting IIS [Internet Information Services] servers, which is unique in its own accord," Jazi says.
While Jazi is unable to share further details on specific verticals that were targeted, he notes that there is a long history of Iranian threat groups targeting Saudi Arabia and other nations in the region.
Who Is the Threat Actor?
Fortinet researchers say it's unclear how the driver was distributed, and they don't they know who was behind this operation. "Observed telemetry shows that while this driver has primarily targeted at Saudi Arabia, it has also been detected in Jordan, Qatar, and the United Arab Emirates, which are the classic targets of Iranian threat actors," the report said.
Iranian threat actors have been known to exploit Microsoft Exchange Servers to deploy additional malware, so it is possible that this driver has been employed alongside Exchange attacks. "To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities," the researchers wrote.
At this stage, it is unclear which organizations were targeted, and what the attackers were looking for. Ciarán Walsh, associate research engineer at Tenable, says that depending on the nature of the attack and sophistication of the threat actor, it is entirely possible for a campaign to go undetected for an extended period of time like this one did. "APT1 (CommentCrew) has been noted as maintaining a presence on victim networks without detection for years during its cyberespionage campaigns," he says.
Asked if he believes the time spent undetected was indicative of the sophistication of an attacker, Walsh says an attacker's sophistication is based on a myriad of factors and also depends on the objectives of a campaign.
"In espionage, the aim would be to go undetected for however long it takes to achieve those objectives," he says, "but in campaigns that aim to cause disruption such as Anonymous Sudan and its DDoS campaigns, being stealthy and maintaining a foothold in a target network is not a priority."
Walsh notes that open source tools are more likely to be detected, as the security community knows of them and countermeasures and remediation techniques have been developed to counteract them.
"Custom tooling is much more difficult to detect as automated systems have little, if any, information about the tool to use as part of their detection mechanisms," he says. "Attackers do sometimes adopt an approach of using tools already on target systems or within target networks."
That living-off-the-land approach was used by Volt Typhoon, an APT attributed to China that Microsoft last week warned had gained access to telecom networks and other critical infrastructure targets in the US.
"Living-off-the-land allows for stealth as there is no execution of any suspicious programs or scripts, which would trigger an alert," Walsh says. "The attackers instead use tools built into operating systems, which are less likely to trigger an alert, or even be deemed suspicious."