BlackByte Ransomware Disables Security Products Through BYOVD Method
The Ransomware Gang Abuses Drivers to Gain Access to the System.
BlackByte, a ransomware gang that has been active since 2021, is using a new technique to get past security system. Researchers call the technique BYOVD (Bring Your Own Vulnerable Driver) and it enables the threat actors to bypass protection systems by disabling more than 1.000 drivers simultaneously.
What makes the method successful is the fact that vulnerable drivers are signed with a legitimate certificate and operate with high privileges. A recent example of usage of the BYOVD method includes the North Korean threat group Lazarus abusing buggy drivers on Dell machines.
How the Attack Works?
A version of the MSI Afterburner RTCore64.sys driver, which is susceptible to a privilege escalation and code execution vulnerability identified as CVE-2019-16098, was used in recent assaults that were attributed to BlackByte. By exploiting this security issue, the group was able to disable multiple endpoint detection and response (EDR) and antivirus products from operating normally.
According to BleepingComputer, the abused MSI driver offers I/O control codes directly accessible by user-mode processes, which violate security guidelines on kernel memory access.
Initially, BlackByte identifies the kernel version and selects offsets matching its ID. After that, RTCore64.sys is dropped in “AppData\Roaming”, creating a service using a hardcoded name and random names to display.
The attackers then take advantage of the driver’s flaw to eliminate the Kernel Notify Routines related to security tool processes.
The names of the related drivers are determined using the recovered callback addresses, and they are then compared to a database of 1,000 targeted drivers that assist the operation of AV/EDR tools. Any matches found are removed and the driver of the target is nullified.
The publication highlights several methods used by BlackByte in these types of attacks, like seeking for signs of a debugger running on the system of the target and quitting.