BlackCat Ransomware affiliate uses signed kernel driver to evade detection

From securityaffairs.com

Trend Micro researchers shared details about ALPHV/BlackCat ransomware incident that took place on February 2023. A BlackCat affiliate employed signed malicious Windows kernel drivers to evade detection.

Experts believe the driver is a new version of the malware reported in December 2022 by MandiantSophos and Sentinel One, via a coordinated disclosure.

The attackers attempted to deploy the driver (ktgn.sys) previously analyzed by Mandiant, which is signed through Microsoft signing portals.

Read more…