BlackByte ransomware operators are exploiting a flaw in Windows drivers that allows them to disable over 1,000 drivers. Dubbed Bring Your Own Driver (BYOD), the method allows the threat actors to disable several security products.
Here’s how it works
In the most recent attack, BlackByte abused Micro-Star’s MSI AfterBurner 4.6.2.15658, a widely used graphics card overclocking utility, that uses two drivers RTCore64.sys and RTCore32.sys.
- The attackers abuse an authenticated read/write arbitrary memory vulnerability (CVE-2019-16098) in the RTCore64.sys driver.
- They exploit the vulnerable driver to remove callback entries of drivers used by EDR products from kernel memory, by overwriting them with zeros.
- An unprotected input-output control code in RTCore64.sys allows read and write operations to kernel memory.
The BYOD technique allow attackers to drop a vulnerable driver version on the victim’s machine, and then abuse it to remove process creation callbacks from the kernel memory.
Anti-analysis checks
In these attacks, BlackByte operators used several tactics to prevent analysis by security researchers.
- The attackers used routines to deactivate the ETW (Event Tracing for Windows) Microsoft-Windows-Threat-Intelligence, perform anti-analysis checks, and gain higher privileges.
- The code looks for signs of a debugger running on the target system and if found, the malware is terminated.
- Additionally, the malware checks for the presence of a list of DLLs that are used by security products such as Comodo Internet Security, Avast, Windows DbgHelp Library, and, Sandboxie, and when detected, it terminates itself.
Conclusion
Other groups were also seen using the BYOD technique in attacks recently. For instance, Lazarus was observed abusing Dell Driver via fake job lures offers. Although, according to experts, attackers rarely use legitimate zero-day vulnerabilities. Most of the time, driver vulnerabilities are well-known and documented. Therefore, it is suggested to keep track of all such vulnerabilities in the used drivers and keep them updated to stay protected from such threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/7664_shutterstock_397445059.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/f307_shutterstock_2157311085.jpg)
