Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Solutions

Compliance
Security
Privacy
SISA One Platform
Why SISA
SISA Institute
Resources
Company
Login
India
Email Subscriptions
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Managed Compliance
Unified Audits

SOLUTION

SECURITY

Security Testing
Application Security Testing
Infrastructure & Network Security
Cloud & Container Security
IoT Security Testing
Adversary-Led Ransomware Simulation
Red Teaming
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Breach and Attack Simulation
Acquirer Led Investigation
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike
ProACT Agentic SOC
Quantum Security

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR

SISA INSTITUTE

Training & Workshops
Quantum Security
Artificial Intelligence
Get Certified
Apply for Certifications
Advisory Groups
Certification Policies
Certification Support
Workshop Calendar
Training and Certification Store

COMPANY

About Us
Our Leadership
Why SISA

RESOURCES

Case Studies
Our Leadership
White Papers
Blogs
Insights
Compliance
Security
Privacy
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Managed Compliance
Unified Audits

SOLUTION

SECURITY

Security Testing
Application Security Testing
Infrastructure & Network Security
Cloud & Container Security
IoT Security Testing
Adversary-Led Ransomware Simulation
Red Teaming
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Breach and Attack Simulation
Acquirer Led Investigation
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
Retainer Services
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike
ProACT Agentic SOC
Quantum Security

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR
Monthly Threat Breif
June 15, 2023
2
MIN READ
WINTAPIX: Advanced threat targeting Middle Eastern businesses

Share this post

TABLE OF CONTENT

TABLE OF CONTENT

A malicious Windows kernel driver called WINTAPIX is being utilized in attacks against Middle Eastern businesses from at least May 2020. The malware's precise origin is unknown, however it is probably linked to an Iranian threat actor. A loader called WINTAPIX makes it easier for malicious.NET code to run. This is done by injecting shelllcode into active processes.

WinTapix is primarily utilized as a loader to load and distribute next-stage malware using shellcode. To find its victims, it employs the Bring Your Own Vulnerable Driver (BYOVD) strategy. A malicious Windows kernel driver named WinTapix.sys has an incorrect signature and depends on a safe but weak driver to run.

A Microsoft IIS server-targeting.NET payload is then launched by this shellcode. The attacker can run commands, upload, and download data, and establish a proxy connection between two destinations thanks to this.NET payload, which also provides a backdoor.

The goal is to compromise or disable security features and get enduring access to the targeted host by employing a malicious kernel mode driver. In other words, as part of the threat actor's multi-stage attack, it provides a covert mechanism to infiltrate deeper into the targeted system, retain persistence, and carry out additional payloads or orders.

Additionally, the open-source Donut project was used to develop the shellcode that is incorporated into WINTAPIX. By making changes to the Windows Registry, it creates persistence and enables it to run even when the system is started in Safe Mode. Government, telecommunications, energy, financial services, healthcare, and education are among the industries that WINTAPIX is known to target in nations including Saudi Arabia, Qatar, Jordan, and the United Arab Emirates.

References:

  • https://www.scmagazine.com/brief/threat-intelligence/middle-east-subjected-to-attacks-with-novel-wintapix-malware
  • https://cyware.com/news/wintapix-attack-campaign-targets-middle-east-nations-eabc515e

Related Articles

SHARE THIS POST

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript