The BlackByte ransomware gang is using a new technique that researchers are calling “Bring Your Own Driver,” which enables bypassing protections by disabling more than 1,000 drivers used by various security solutions.
What does BlackByte ransomware do ?
Exploiting the security issue allowed BlackByte to disable drivers that prevent multiple endpoint detection and response (EDR) and antivirus products from operating normally.
This particular vulnerability allows them to communicate directly with the targeted system’s kernel, commanding it to disable callback routines used by EDR providers, as well as the ETW (Event Tracing for Windows) Microsoft-Windows-Threat-Intelligence-Provider. EDR vendors frequently use this feature to monitor the use of commonly maliciously abused API calls; if this feature is disabled, the EDR vendors that rely on this feature are also rendered ineffective.
Recent attacks attributed to this group involved a version of the MSI Afterburner RTCore64.sys driver, which is vulnerable to a privilege escalation and code execution flaw tracked as CVE-2019-16098.
Attack Analysis
Security researchers at cybersecurity company Sophos explain that the abused MSI graphics driver offers I/O control codes directly accessible by user-mode processes, which violates Microsoft’s security guidelines on kernel memory access.
This makes it possible for attackers to read, write, or execute code in kernel memory without using shellcode or an exploit.
In the first stage of the attack, BlackByte identifies the kernel version to select the correct offsets that match the kernel ID.
Next, RTCore64.sys is dropped in “AppDataRoaming” and creates a service using a hardcoded name and a randomly selected, not-so-subtle display name.
The attackers then exploit the driver’s vulnerability to remove Kernel Notify Routines that correspond to security tool processes.
The retrieved callback addresses are used to derive the corresponding driver name and compared to a list of 1,000 targeted drivers that support the function of AV/EDR tools.
Any matches found in this stage are removed by overwriting the element that holds the address of the callback function with zeros, so the targeted driver is nullified.
Sophos also highlights several methods that BlackByte employs in these attacks to evade analysis from security researchers, like seeking for signs of a debugger running on the target system and quitting.
The BlackByte malware also checks for a list of hooking DLLs used by Avast, Sandboxie, Windows DbgHelp Library, and Comodo Internet Security, and terminates its execution if found.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment