Researchers have warned users about the new BlackByte ransomware campaign that exploits a legit but vulnerable Windows driver. The ransomware employs this strategy to evade detection, making it difficult to prevent the attack.
BlackByte Ransomware Abuses Legit Vulnerable Driver In Recent Campaign
According to a recent post from Sophos, the BlackByte ransomware is now employing the Bring Your Own Vulnerable Driver (BYOVD) technique to target systems. As elaborated, the newest BlackByte ransomware variant exploits the vulnerable RTCore64.sys driver in recent campaigns.
BlackByte is a potent malware available as RaaS (ransomware-as-a-service) since 2021. It has employed various strategies in past campaigns to execute its attacks. And now, the latest ransomware variant written in GO language abuses the RTCore64.sys Windows driver to disable 1000 other drivers that anti-malware solutions use during scans.
This vulnerable driver is used by Micro-Star’s MSI AfterBurner graphics card overclocking utility that allows control over the graphics card. The vulnerability in question, CVE-2019-16098, allows an authenticated attacker to read and write to arbitrary memory, I/O ports, and MSRs. In turn, the attacker can execute codes with high privileges on the target system. Also, the signed vulnerable drivers allow evading Microsoft’s driver signing policy.
Hence, this vulnerability gives leverage to BlackByte attackers to target systems effectively without fearing detection. They can easily manipulate the vulnerable drivers to run the ransomware.
The researchers also noticed similarities between the BlackByte variant and EDRSandblast tool’s EDR bypass implementation.
According to the researchers, after completing anti-analysis checks, the ransomware attempts to retrieve the Master Boot Record file handle and bypass UAC checks to reboot itself with higher privileges.
The researchers have also shared some defense strategies to prevent BlackByte attacks alongside the detailed technical analysis. Specifically, they advise users to update the installed drivers and avoid running vulnerable versions. Users should also keep checking for news about any vulnerabilities to ensure quick driver patches since zero-day vulnerability exploits in drivers are rare.
Let us know your thoughts in the comments.