BlackByte ransomware abuses legit driver to disable security products, BlackByte, BYOVD, Bypass, Ransomware

The BlackByte ransomware gang is using a new technique that researchers are calling “Bring Your Own Driver,” which enables bypassing protections by disabling more than 1,000 drivers used by various security solutions.

Recent attacks attributed to this group involved a version of the MSI Afterburner RTCore64.sys driver, which is vulnerable to a privilege escalation and code execution flaw tracked as CVE-2019-16098.

Exploiting the security issue allowed BlackByte to disable drivers that prevent multiple endpoint detection and response (EDR) and antivirus products from operating normally.

The “Bring Your Own Vulnerable Driver” (BYOVD) method is effective because the vulnerable drivers are signed with a valid certificate and run with high privileges on the system.

Two notable recent examples of BYOVD attacks include Lazarus abusing a buggy Dell driver and unknown hackers abusing an anti-cheat driver/module for the Genshin Impact game.

Attack details

Security researchers at cybersecurity company Sophos explain that the abused MSI graphics driver offers I/O control codes directly accessible by user-mode processes, which violates Microsoft’s security guidelines on kernel memory access.

This makes it possible for attackers to read, write, or execute code in kernel memory without using shellcode or an exploit.

In the first stage of the attack, BlackByte identifies the kernel version to select the correct offsets that match the kernel ID.

BlackByte ransomware abuses legit driver to disable security products, BlackByte, BYOVD, Bypass, Ransomware

Identify the kernel to load the right offsets (Sophos)

Next, RTCore64.sys is dropped in “AppDataRoaming” and creates a service using a hardcoded name and a randomly selected, not-so-subtle display name.

BlackByte ransomware abuses legit driver to disable security products, BlackByte, BYOVD, Bypass, Ransomware

The possible display names for the process (Sophos)

The attackers then exploit the driver’s vulnerability to remove Kernel Notify Routines that correspond to security tool processes.

The retrieved callback addresses are used to derive the corresponding driver name and compared to a list of 1,000 targeted drivers that support the function of AV/EDR tools.

Any matches found in this stage are removed by overwriting the element that holds the address of the callback function with zeros, so the targeted driver is nullified.

BlackByte ransomware abuses legit driver to disable security products, BlackByte, BYOVD, Bypass, Ransomware

How Kernel Notify Routines work (Sophos)

Sophos also highlights several methods that BlackByte employs in these attacks to evade analysis from security researchers, like seeking for signs of a debugger running on the target system and quitting.

The BlackByte malware also checks for a list of hooking DLLs used by Avast, Sandboxie, Windows DbgHelp Library, and Comodo Internet Security, and terminates its execution if found.

System administrators can protect against BlackByte’s new security bypassing trick by adding the particular MSI driver to an active blocklist.

Additionally, admins should monitor all driver installation events and scrutinize them frequently to find any rogue injections that don’t have a hardware match.

TECH NEWS RELATED

You can’t watch Disney Plus with ads on Roku devices yet

Three years after the streaming service launched, Disney Plus introduced an ad-supported plan on December 8. The new plan is called Disney Plus Basic, and it includes all of the same content as the ad-free Disney Plus Premium plan. The most important difference is that the ad-supported plan includes ...

View more: You can’t watch Disney Plus with ads on Roku devices yet

Microsoft Buys Hollowcore Fiber Cable Maker Lumenisity

Microsoft announced on Friday that it has acquired Lumenisity, a maker of hollowcore fiber cable for global networking infrastructure. The acquisition of Romsey, U.K.-based Lumenisity will be used by Microsoft to bolster its cloud services infrastructure. It’ll help Microsoft’s Cloud Platform and Services customers that have “strict latency and ...

View more: Microsoft Buys Hollowcore Fiber Cable Maker Lumenisity

Chrome May Eat Less of Your Memory When This New Feature Rolls Out

This site may earn affiliate commissions from the links on this page. Terms of use. When Google Chrome was lightweight and fast when it debuted in 2008, a refreshing change of pace in a world still dominated by Internet Explorer. Things sure have changed. Today, Chrome has a meme-worthy reputation ...

View more: Chrome May Eat Less of Your Memory When This New Feature Rolls Out

The Samsung Galaxy S22 was just hacked in 55 seconds — yikes

Is this a new record for hacking a flagship smartphone?

View more: The Samsung Galaxy S22 was just hacked in 55 seconds — yikes

If You Value Your Online Privacy, Change These Browser Settings ASAP

You can give your online privacy a major boost by taking five minutes to adjust a few settings in Chrome, Safari, Firefox, Edge or Brave.

View more: If You Value Your Online Privacy, Change These Browser Settings ASAP

Eagles vs Giants live stream: How to watch NFL week 14 online

The Eagles vs Giants live stream has Hurts and the Birds looking to add to the NFL’s best record!

View more: Eagles vs Giants live stream: How to watch NFL week 14 online

Jets vs Bills live stream: How to watch NFL week 14 online

The Jets vs Bills live stream sets up another AFC East showdown!

View more: Jets vs Bills live stream: How to watch NFL week 14 online

DoorDash giving free Spicy McCrispy sandwich on $25+ McDonald’s orders

The deal is available until December 23rd

View more: DoorDash giving free Spicy McCrispy sandwich on $25+ McDonald’s orders

SBF Denies He Tried to Attack Tether, 'Hunted' Three Arrows’ Terra Positions

The AMD Radeon RX 7900 XTX Is Much Smaller Than the RTX 4080

First China-Made C919 Passenger Jet Finally Delivered—A New Milestone for Chinese Aviation!

Disney Plus New Price, Pay More Or Deal With Ads

These 2 Netflix series are dominating in the US today

The Bizarre Reason Volkswagen Used 195/65R15 Tires on a Ton of Its Cars

Air for disadvantaged LA residents is more polluted, more toxic

Structural studies offer 'how-to' guide for designing cancer drugs

Surprise discovery set to improve drug development

DT8 Pro is yet another smartwatch piece worth your attention

BLUETTI Named As CES 2023 Innovation Awards Honoree

Doogee S99 is Designed to Be the First Rugged Phone with 64MP Night Vision

OTHER TECH NEWS

Top Car News Car News