WINTAPIX: Advanced threat targeting Middle Eastern businesses

A malicious Windows kernel driver called WINTAPIX is being utilized in attacks against Middle Eastern businesses from at least May 2020. The malware’s precise origin is unknown, however it is probably linked to an Iranian threat actor. A loader called WINTAPIX makes it easier for malicious.NET code to run. This is done by injecting shelllcode into active processes.

WinTapix is primarily utilized as a loader to load and distribute next-stage malware using shellcode. To find its victims, it employs the Bring Your Own Vulnerable Driver (BYOVD) strategy. A malicious Windows kernel driver named WinTapix.sys has an incorrect signature and depends on a safe but weak driver to run.

A Microsoft IIS server-targeting.NET payload is then launched by this shellcode. The attacker can run commands, upload, and download data, and establish a proxy connection between two destinations thanks to this.NET payload, which also provides a backdoor.

The goal is to compromise or disable security features and get enduring access to the targeted host by employing a malicious kernel mode driver. In other words, as part of the threat actor’s multi-stage attack, it provides a covert mechanism to infiltrate deeper into the targeted system, retain persistence, and carry out additional payloads or orders.

Additionally, the open-source Donut project was used to develop the shellcode that is incorporated into WINTAPIX. By making changes to the Windows Registry, it creates persistence and enables it to run even when the system is started in Safe Mode. Government, telecommunications, energy, financial services, healthcare, and education are among the industries that WINTAPIX is known to target in nations including Saudi Arabia, Qatar, Jordan, and the United Arab Emirates.