[German]The developers of the BlackByte ransomware exploit a vulnerability in a legitimate Windows driver (from Micro-Star's MSI AfterBurner 4.6.2.15658) to bypass security solutions. Security researchers from Sophos recently pointed this out in a report. This technique is known as BYOVD (Bring Your Own Vulnerable Driver) attack and is nothing new. However, I would like to raise the issue here as a renewed warning.
Bring Your Own Vulnerable Driver
BYOVD stands for Bring Your Own Vulnerable Driver. This is an attack technique in which a legitimate and signed Windows driver is exploited via vulnerabilities to attack systems. In July 2022, Trend Micro reported the misuse of a vulnerable anti-cheat driver for the game Genshin Impact named mhyprot2.sys to terminate antivirus processes and services for mass ransomware distribution. In May 2022, another report showed how an AvosLocker ransomware variant also abused the vulnerable Avast anti-rootkit driver aswarpot.sys to bypass security features.
New case due to BlackByte ransomware
Another case of this attack technique has now been made public by Sophos in the post A fresh exploration of the malware uncovers a new tactic for bypassing security products by abusing a known driver vulnerability.
Andreas Klopsch from Sophos writes that in light of reports of a new data leak site from the BlackByte ransomware group, they took a closer look at the latest ransomware variant written in Go. This revealed a sophisticated technique for bypassing security products by exploiting a known vulnerability in the legitimate vulnerable driver RTCore64.sys.
CVE-2019-16098 in Micro-Stars MSI AfterBurner 4.6.2.15658 driver
RTCore64.sys and RTCore32.sys sind are drivers used by Micro-Star's MSI AfterBurner 4.6.2.15658. This is a widely used graphics card overclocking utility that allows advanced control over graphics cards in the system.
Vulnerability CVE-2019-16098 allows an authenticated user to read and write to arbitrary memory as well as I/O ports and MSR (Microsoft System Reserved partitions, or Model specific register). This can be exploited to escalate privileges, execute code with high privileges, or disclose information.
The I/O control codes in RTCore64.sys are directly accessible to user-mode processes. As stated in Microsoft's policy for securing IOCTL codes in drivers, defining IOCTL codes that allow the caller to read or write non-specific areas of kernel memory is considered dangerous. No shellcode or exploit is required to exploit the vulnerability – accessing these control codes with malicious intent is sufficient.
Security products can be disabled
Andreas Klopsch from Sophos goes into detail about the attack vector in his blog post. In the end, all that matters is that the evasion technique used by the ransomware supports the disabling of more than 1,000 drivers that security products rely on. Sophos products provide protections against the tactics described in this article. (via)
