BlackByte Ransomware Abuses Legitimate Driver to Disable Security Protections
Dwelling › Virus & Malware
BlackByte Ransomware Abuses Official Driver to Disable Safety Protections
By Ionut Arghire on October 06, 2022
Tweet
The BlackByte ransomware has been noticed concentrating on a vulnerability in a legit driver to disable endpoint detection and response (EDR) options operating on the sufferer machine.
Though a decryptor for BlackByte ransomware was launched in October final 12 months, the risk has continued to stay energetic, with the FBI warning of assaults concentrating on essential infrastructure sectors, together with authorities, monetary, and meals and agriculture organizations.
Whereas investigating latest exercise surrounding the ransomware-as-a-service (RaaS) and its new knowledge leak website, Sophos safety researchers found that the risk has been utilizing a classy approach that enables it to bypass safety merchandise.
Known as ‘Convey Your Personal Driver’, the approach entails dropping a weak driver model on the sufferer’s machine, executing it, and abusing it to take away course of creation callbacks from the kernel reminiscence.
For this, BlackByte ransomware abuses drivers that Micro-Star’s graphics card overclocking utility MSI AfterBurner 4.6.2.15658 makes use of to realize prolonged management over graphic playing cards on the system. The ransomware operators additionally use legitimate code signing certificates to signal these drivers.
The RTCore64.sys driver, Sophos explains, is affected by an authenticated learn/write arbitrary reminiscence vulnerability. Tracked as CVE-2019-16098, the problem results in privilege escalation, info disclosure, and code execution with elevated privileges.
The approach works as a result of “the I/O management codes in RTCore64.sys are immediately accessible by user-mode processes” and since the focused vulnerability will be exploited by merely accessing these management codes, with out the necessity for exploit code.
BlackByte ransomware exploits the weak driver to take away callback entries of drivers utilized by EDR merchandise from kernel reminiscence, by overwriting them with zeros.
“The evasion approach helps disabling a whopping checklist of over 1,000 drivers on which safety merchandise rely to supply safety,” Sophos notes.
Different ransomware households on the market had been additionally seen utilizing this system in assaults this 12 months, albeit they abuse totally different drivers, together with the mhyprot2.sys anti-cheat driver for the Genshin Influence online game and the aswarpot.sys Avast anti-rootkit driver, which was being abused by AvosLocker ransomware.
Associated: FBI Warns of BlackByte Ransomware Assaults on Essential Infrastructure
Associated: Ransomware Gang Says it Has Hacked 49ers Soccer Group
Associated: Variety of Ransomware Assaults on Industrial Orgs Drops Following Conti Shutdown
Get the Day by day Briefing
- Most Current
- Most Learn
- Australian Police Make First Arrest in Optus Hack Probe
- The Zero Day Dilemma
- BlackByte Ransomware Abuses Official Driver to Disable Safety Protections
- New ‘Maggie’ Backdoor Focusing on Microsoft SQL Servers
- Insurance coverage Big Lloyd’s of London Investigating Cybersecurity Incident
- Cisco Patches Excessive-Severity Vulnerabilities in Communications, Networking Merchandise
- Private Info of 123Ok People Uncovered in Metropolis of Tucson Knowledge Breach
- Hospital Chain Says ‘IT Safety Concern’ Disrupts Operations
- Quantum-Protected Communications Startup Qunnect Raises $eight Million
- FBI, CISA Say Malicious Cyber Exercise Unlikely to Disrupt Election
Searching for Malware in All of the Mistaken Locations?
First Step For The Web’s subsequent 25 years: Including Safety to the DNS
Tattle Story: What Your Laptop Says About You
Be in a Place to Act Via Cyber Situational Consciousness
Report Reveals Closely Regulated Industries Letting Social Networking Apps Run Rampant
2010, A Nice 12 months To Be a Scammer.
Do not Let DNS be Your Single Level of Failure
Methods to Determine Malware in a Blink
Defining and Debating Cyber Warfare
The 5 A’s that Make Cybercrime so Engaging
Methods to Defend In opposition to DDoS Assaults
Safety Budgets Not in Line with Threats
Anycast – Three Causes Why Your DNS Community Ought to Use It
The Evolution of the Prolonged Enterprise: Safety Methods for Ahead Pondering Organizations
Utilizing DNS Throughout the Prolonged Enterprise: It’s Dangerous Enterprise