BlackByte Ransomware abuses vulnerable driver to bypass security solutions

Pierluigi Paganini October 08, 2022

The BlackByte ransomware operators are leveraging a flaw in a legitimate Windows driver to bypass security solutions.

Researchers from Sophos warn that BlackByte ransomware operators are using a bring your own vulnerable driver (BYOVD) attack to bypass security products.

In BYOVD attacks, threat actors abuse vulnerabilities in legitimate, signed drivers, on which security products rely, to achieve successful kernel-mode exploitation.

Other ransomware gangs in the past abused the BYOVD technique to disable security solutions, for example RobbinHood and AvosLocker operators exploited vulnerabilities (i.e. CVE-2018-19320) in the gdrv.sys and asWarPot.sys.

While investigating the most recent variant of the ransomware, which is written in Go, the experts discovered that the threat actors are exploiting a vulnerability in a legitimate Windows driver to bypass security solutions.

“We found a sophisticated technique to bypass security products by abusing a known vulnerability in the legitimate vulnerable driver RTCore64.sys.” reads the post published by Sophos. “The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection. Sophos products provide mitigations against the tactics discussed in this article.”

“Bring Your Own Driver” is the name given to this technique [1, 2, 3, 4, 5, 6] — exploiting a targeted system by abusing a legitimate signed driver with an exploitable vulnerability.”

The researchers discovered that the BlackByte ransomware operators are exploiting a privilege escalation and code execution vulnerability (CVE-2019-16098, CVSS score 7.8) affecting the Micro-Star MSI Afterburner RTCore64.sys driver.

The RTCore64.sys and RTCore32.sys drivers are widely used by Micro-Star’s MSI AfterBurner utility which gives extended control over graphic cards on the system. The CVE-2019-16098 exploitation allows an authenticated user to read and write to arbitrary memory, potentially leading to privilege escalation, code execution under high privileges, or information disclosure.

Sophos researchers pointed out that Kernel Notify Routines are used by loaded drivers to be notified by the kernel of system activity, Drivers related to security products often rely on these routines to collect information about system activity. 

BlackByte Ransomware abuse driver

The experts noticed that the ransomware sample they analyzed has multiple similarities with the EDR bypass implementation used by the EDRSandblast open-source tool which allows abusing vulnerable signed drivers to evade detection.

Siphos experts also identified the kernel routines to deactivate the ETW (Event Tracing for Windows) Microsoft-Windows-Threat-Intelligence provider which is used to log the use of API calls associated with malicious activities such as NtReadVirtualMemory to inject into another process’s memory. Disabling ETW, every security feature that relies on them is blind.

“Once the anti-analysis checks finish, BlackByte attempts to retrieve a file handle of the Master Boot Record, as seen in Figure 3. If failed, the ransomware tries to at least bypass User Access Control and restart itself with higher privileges via CMLUA or CMSTPLUA UAC Bypass.” continues the report.

Experts provide the following recommendations to defend against such type of attacks:

  • Threat actors usually exploits well known vulnerabilities in the used driver, for this reason by keeping track of the latest security issues it is possible blocklist drivers known to be exploitable.
  • Always keep track of the drivers installed on your systems and keep them up to date.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BlackByte ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment