logo

tldr - powered by Generative AI

Iranian hackers have been using a new Windows kernel driver called Wintapix in attacks against Middle East targets since 2020. The driver uses the Donut, a position-independent code that enables in-memory loading of payloads through shellcode, using process hollowing or thread hijacking.
  • Fortinet reports that Iranian threat actors have been using a newly identified Windows kernel driver called Wintapix in attacks against Middle East targets since 2020.
  • The driver uses the Donut, a position-independent code that enables in-memory loading of payloads through shellcode, using process hollowing or thread hijacking.
  • Wintapix appears to have been active since at least mid-2020, likely developed by an Iranian threat actor and primarily used in attacks against entities in Saudi Arabia, but also against targets in Jordan, Qatar, and the United Arab Emirates.
  • The driver was likely used in some major campaigns in August and September 2022 and in February and March 2023, albeit it remained under the radar to date.
  • The threat actors likely use a legitimate but vulnerable driver to load Wintapix in the kernel.
  • The .NET payload that the shellcode loads is a piece of malware specifically designed to target Microsoft Internet Information Services (IIS) servers, and which functions as a backdoor and as a proxy.
Tags:  
Iranian hackers
Windows kernel driver
Wintapix
Donut
Middle East targets

Post a comment

Related articles