Over the last few years, companies in the Middle East have faced a series of targeted attacks using an open-source tool used by threat actors as kernel drivers.
Fortinet researchers discovered a sample of the so-called Donut tool while scanning suspicious executables that used open-source technologies.
This open-source shellcode-generation tool, as well as a variant of the Wintapix driver, were found to have been used in targeted cyberattacks against Saudi Arabia and other Middle Eastern countries.
Fortinet researchers Geri Revay and Hossein Jazi stated in a blog post about their research that they believe this driver has been operational in the wild since at least mid-2020, was not reported until now, and has been employed in multiple campaigns over the previous few years.
In accordance with Fortinet’s data, there is a noteworthy increase in the number of lookups — or peaks in activity — for this driver in August and September 2022, as well as again in February and March 2023. This could imply that the threat actor behind the driver was running large-scale campaigns these days. According to the data, 65% of the lookups for the driver were from Saudi Arabia, showing that it was a primary focus.
Jazi notes that other malware families have been identified employing similar attack methods (i.e., kernel drivers), but this was a detection of a new malicious driver.
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: