In another case of a BYOVD (Bring Your Own Driver Vulnerable) attack, BlackByte ransomware operators are exploiting a flaw in a legitimate Windows driver to bypass security solutions.
“The evasion technique supports disabling a huge list of over 1,000 drivers that security products rely on to provide protection,” Andreas Klopsch, threat researcher at Sophos, said in a new technical article.
BYOVD is an attack technique that involves threat actors exploiting vulnerabilities in legitimate, signed drivers to achieve kernel mode exploitation and take control of compromised machines.
Weaknesses in signed pilots have been increasingly co-opted by nation-state threat groups in recent years, including Slingshot, InvisiMole, APT28, and more recently, the Lazarus Group.
BlackByte, believed to be an offshoot of the now-discontinued Conti Group, is part of the big game’s cybercrime teams, which focus on large, high-profile targets as part of its ransomware-as-a-service (RaaS) system. .
According to the cybersecurity firm, the recent attacks mounted by the group took advantage of a privilege elevation and code execution flaw (CVE-2019-16098, CVSS score: 7.8) affecting the Micro-Star driver MSI Afterburner RTCore64.sys to disable security products.
Additionally, an analysis of the ransomware sample revealed multiple similarities between the implementation of the EDR bypass and that of an open-source C-based tool called EDRSandblast, which is designed to abuse vulnerable signed drivers to evade detection.
BlackByte is the latest ransomware family to adopt the BYOVD method to achieve its goals, following RobbinHood and AvosLocker, both of which have weaponized bugs in gdrv.sys (CVE-2018-19320) and asWarPot.sys to terminate related processes endpoint protection software. .
To protect against BYOVD attacks, it is recommended to keep track of the drivers installed on systems and ensure that they are up to date, or choose to block drivers known to be exploitable.