Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label BYOVD Attack. Show all posts
cybersecurity threat
BYOVD Attack cyber attack Cyber Attacks cybersecurity threat

BYOVD Attacks Turn Trusted Windows Drivers Into Security Threats

 

Cybersecurity researchers are warning about a growing wave of attacks that exploit legitimate Windows drivers to bypass security protections and gain deep control over targeted systems. 

The technique, known as Bring Your Own Vulnerable Driver or BYOVD, involves attackers loading digitally signed but flawed drivers onto a compromised machine. Once active, the vulnerable driver can be exploited to gain kernel level privileges, the highest level of access in the Windows operating system. 

Researchers from Picus Security said the method allows threat actors to “load a legitimate, digitally signed, but vulnerable driver onto a target system” and then exploit weaknesses in that driver to gain arbitrary kernel mode execution. 

With this level of access, attackers can disable endpoint security tools, manipulate operating system processes and carry out further malicious activity without interference. 

How the attack works 

BYOVD attacks do not provide the initial entry point into a system. Instead, attackers use the technique after gaining administrative access through other methods such as phishing campaigns, stolen credentials, exploitation of exposed services or purchasing access from an initial access broker. 

Once administrative privileges are obtained, attackers introduce a vulnerable driver file into the system. The driver, typically a .sys file, is often placed in directories that allow easy writing access such as temporary Windows folders or public user directories. 

Many of these drivers are taken directly from legitimate vendor software packages, including hardware utilities, monitoring tools or gaming applications. Because the drivers are officially signed and appear legitimate, they can pass Windows trust checks. Attackers then load the driver into the Windows kernel. 

This is commonly done through the Windows Service Control Manager using commands such as sc.exe create and sc.exe start, or by calling system level APIs like NtLoadDriver. 

Since the driver carries a valid digital signature, Windows allows it to run in kernel space without immediately triggering alerts. 

Exploiting driver weaknesses 

After the vulnerable driver is loaded, attackers exploit unsafe input and output control functions exposed by the driver. These functions can allow direct reading and writing of system memory. 

By sending specially crafted requests, attackers can gain access to protected kernel memory regions. This effectively provides full control over the operating system’s most privileged layer. 

With kernel read and write capabilities, attackers can disable security protections in several ways. They may remove endpoint detection and response callbacks from kernel structures, patch tamper protection routines in memory, terminate antivirus processes or manipulate system process objects to conceal malicious activity. 

Even though security software may still appear installed, the endpoint may effectively be left unprotected. 

Example of driver abuse 

One attack analyzed by Picus researchers involved ransomware actors exploiting the mhyprot2.sys anti cheat driver used by the popular video game Genshin Impact. 

In that case, attackers installed the legitimate driver and then used a separate executable to send a specific command instructing the driver to terminate antivirus processes. Because the driver operated with kernel level privileges, it successfully executed system level commands to kill security services. 

Once defenses were disabled, ransomware encryption was deployed without resistance.

Structural weaknesses in driver trust 

The effectiveness of BYOVD attacks stems partly from how Windows manages driver trust. Since Windows 10, most new kernel drivers must be signed through Microsoft’s developer portal. 

However, compatibility requirements allow certain older cross signed drivers to still load under specific conditions. 

These conditions include systems where Secure Boot is disabled or devices that were upgraded from older Windows installations rather than freshly installed. 

Such compatibility allowances create gaps that attackers can exploit by loading vulnerable legacy drivers that remain trusted by the system. 

Microsoft also maintains a vulnerable driver blocklist, but this list is updated only after vulnerabilities are discovered and reported. Updates often coincide with major Windows releases, meaning newly identified vulnerable drivers may remain usable for extended periods. 

As a result, BYOVD attacks do not technically bypass Windows security mechanisms. Instead, they take advantage of drivers that the operating system still considers trustworthy. 

Defending against BYOVD 

Security experts say defending against this technique requires layered protections rather than a single configuration change. 

Organizations are advised to enable hypervisor protected code integrity and the broader virtualization based security framework to prevent unauthorized kernel memory changes. 

Controls such as Windows Defender Application Control and Microsoft’s vulnerable driver blocklist can restrict which drivers are allowed to run. Limiting administrative privileges is another critical step. 

Companies should remove unnecessary local administrator rights, enforce least privilege policies and require multi factor authentication for privileged accounts. Monitoring for suspicious activity is also essential. 

Security teams should watch for unusual driver loading events or new kernel service creation logs. Maintaining Secure Boot and restricting driver installation through group policy can further reduce the risk of unauthorized or legacy drivers being loaded. 

Regular auditing of third party drivers installed on systems can help reduce the overall kernel attack surface. 

Security analysts say BYOVD reflects a broader change in attacker strategy. Instead of relying only on new vulnerabilities or zero day exploits, threat actors increasingly use trusted components that already exist within systems. 

Read more »
Windows
BYOVD Attack cloud storage Cyber Attacks Linux phishing Ransomware Reynolds Windows

New Ransomware Uses Trusted Drivers to Disable Security Defenses

 


Security monitoring teams are tracking a new ransomware strain called Reynolds that merges system sabotage and file encryption into a single delivery package. Instead of relying on separate utilities to weaken defenses, the malware installs a flawed system driver as part of the infection process, allowing it to disable protective software before encrypting data.

The method used is known in security research as Bring Your Own Vulnerable Driver, or BYOVD. This approach abuses legitimate drivers that contain known weaknesses. Because operating systems recognize these drivers as trusted components, attackers can exploit them to gain deep system access and stop endpoint protection tools with reduced risk of detection. This tactic has been repeatedly observed across multiple ransomware operations in recent years.

In the Reynolds incidents, the malware deploys the NSecKrnl driver produced by NsecSoft. This driver contains a publicly documented vulnerability tracked as CVE-2025-68947, rated 5.7 in severity. The flaw allows any running process to be forcibly terminated, which attackers use to shut down security platforms including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos with HitmanPro.Alert, and Symantec Endpoint Protection. The same driver has previously been abused by a threat actor known as Silver Fox in campaigns that disabled security tools before deploying ValleyRAT. Silver Fox has also relied on other vulnerable drivers, such as truesight.sys and amsdk.sys, during similar operations.

Security analysts note that integrating defense suppression into ransomware itself is not unprecedented. A comparable approach appeared during a Ryuk ransomware incident in 2020 and later in activity linked to the Obscura ransomware family in August 2025. Folding multiple attack stages into a single payload reduces operational complexity for attackers and decreases the number of separate files defenders might detect.

Investigations into recent intrusions uncovered signs of long-term preparation. A suspicious loader that used side-loading techniques was found on victim networks several weeks before encryption occurred. Following deployment of the ransomware, a remote access program known as GotoHTTP was installed within one day, indicating an effort to preserve long-term control over compromised systems.

Parallel ransomware campaigns reveal additional shifts in attacker behavior. Large phishing operations are circulating shortcut file attachments that trigger PowerShell scripts, leading to the installation of Phorpiex malware, which then delivers GLOBAL GROUP ransomware. This ransomware conducts all operations locally and does not transmit stolen data, allowing it to function in networks without internet access. Other campaigns tied to WantToCry have exploited virtual machines provisioned through ISPsystem, a legitimate infrastructure management service, to distribute malware at scale. Some of the same hosting infrastructure has been linked to LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as malware families including NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer.

Researchers assess that bulletproof hosting providers are renting ISPsystem virtual machines to criminal actors by abusing a design flaw in VMmanager’s default Windows templates. Because these templates reuse identical hostnames and system identifiers, thousands of virtual machines can be created with the same fingerprint, making takedown efforts more difficult.

Ransomware groups are also expanding their business models. DragonForce now provides affiliates with a “Company Data Audit” service, which includes risk assessments, pre-written call scripts, executive-level letters, and negotiation guidance. The group operates as a cartel that allows affiliates to launch their own brands while sharing infrastructure and services.

Technical changes are shaping newer ransomware versions. LockBit 5.0 has replaced AES encryption with ChaCha20 and now targets Windows, Linux, and ESXi environments. The latest version includes file wiping capabilities, delayed execution, encryption progress tracking, improved evasion techniques, stronger in-memory operation, and reduced disk footprints. The Interlock group continues to target organizations in the United Kingdom and United States, particularly in education. One attack exploited a zero-day vulnerability in the GameDriverx64.sys anti-cheat driver, tracked as CVE-2025-61155 with a 5.5 severity score, to disable security tools using BYOVD methods. The same campaign deployed NodeSnake, also known as Interlock RAT or CORNFLAKE, with MintLoader identified as the initial access point.

Targeting strategies are also shifting toward cloud storage. Poorly configured Amazon Web Services S3 buckets are being abused through native platform functions to erase data, restrict access, overwrite files, or quietly extract sensitive information while remaining difficult to detect.

Industry tracking from Cyble indicates that GLOBAL GROUP is among several ransomware crews that appeared in 2025, alongside Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. ReliaQuest reported that Sinobi’s data leak activity increased by 306 percent in the final quarter of 2025, ranking it third behind Qilin and Akira. LockBit’s resurgence included 110 victim listings in December alone. Researchers estimate that ransomware actors claimed 4,737 attacks in 2025, compared with 4,701 in 2024. Incidents centered only on data theft rose to 6,182, reflecting a 23 percent increase. Coveware reported that average ransom demands reached $591,988 in late 2025, driven by a small number of exceptionally large settlements, and warned that attackers may shift back toward encryption-based extortion to increase pressure on victims.

Read more »
vulnerable driver abuse
BYOVD Attack EDR killer malware EnCase driver exploit kernel driver security malware vulnerable driver abuse

Attackers Exploit Revoked EnCase Driver to Disable Endpoint Security Using New EDR Killer Malware

 

Threat actors are increasingly deploying a new strain of EDR killer malware capable of disabling 59 popular endpoint protection products. According to Huntress researchers, the malware abuses a Windows kernel driver that was once legitimately distributed with Guidance Software’s EnCase digital forensics tool.

Although the driver is genuine, its signing certificate expired and was revoked over a decade ago. Despite this, Windows systems still permit the driver to load, making it an attractive target for attackers.

Huntress analysts identified the intrusion earlier this month and determined that attackers followed a multi-step process. They initially gained entry into the victim’s environment by authenticating to a SonicWall SSLVPN using previously stolen credentials. Once inside, the attackers conducted internal reconnaissance before deploying the EDR killer malware, which contained the vulnerable kernel driver embedded within it.

To evade detection, the malware uses a custom encoding mechanism that conceals the driver from security tools. After decoding, the driver is written to disk under a directory that resembles a legitimate OEM component. The file is hidden, its timestamps are copied from an authentic system file to avoid suspicion, and it is registered as a Windows kernel service to ensure persistence across reboots.

“Once loaded, the driver exposes an IOCTL interface that allows usermode processes to terminate arbitrary processes directly from kernel mode. This bypasses all usermode protections, including Protected Process Light (PPL) that typically guards critical system processes and EDR agents,” the researchers explained.

This attack leverages the Bring Your Own Vulnerable Driver (BYOVD) technique, which enables adversaries to achieve kernel-level access by abusing trusted but flawed drivers. Rather than developing a malicious driver from scratch, attackers reuse legitimate drivers created by hardware vendors or software providers.

After such a driver is loaded into the kernel, its vulnerabilities or exposed interfaces can be exploited to disable security tools, weaken system defenses, or directly access system memory.

While defenders have been aware of BYOVD attacks for years, mitigating them at scale remains challenging. Windows Driver Signature Enforcement (DSE) can block unsigned or altered drivers, but it does not validate Certificate Revocation Lists (CRLs).

“This limitation exists for practical reasons: drivers load early in the boot process before network services are available, and CRL checks would significantly impact boot performance. Even when a CRL is manually imported into local certificate storage, the kernel bypasses this check entirely,” the researchers explained.

To address this gap, Microsoft maintains a Vulnerable Driver Blocklist. However, this approach has an inherent weakness: only drivers already identified as malicious are included, leaving a window of opportunity for attackers to exploit new or overlooked drivers. Microsoft also allows certain exceptions to preserve backward compatibility.

“Drivers signed with certificates issued before July 29, 2015, that chain to a supported cross-signed certificate authority] are still permitted to load,” the researchers noted. “The EnCase driver’s certificate was issued on December 15, 2006, well before this cutoff.”

Huntress believes the attackers’ end goal was to deploy ransomware, but the campaign was stopped before reaching that stage. To reduce risk, the researchers recommend enabling multi-factor authentication across all remote access services and closely reviewing VPN logs for unusual activity. Organizations should also enable Memory Integrity to enforce Microsoft’s Vulnerable Driver Blocklist, watch for suspicious services masquerading as legitimate hardware components, and apply Windows Defender Application Control and Attack Surface Reduction rules to block the loading and abuse of known vulnerable drivers.
Read more »
Ransomware
BYOVD Attack Cyber Crime Data Stolen EDR Ransomware

New Hacking Tool Lets Ransomware Groups Disable Security Systems

 



Cybersecurity experts have discovered a new malicious tool designed to shut down computer security programs, allowing hackers to attack systems without being detected. The tool, which appears to be an updated version of an older program called EDRKillShifter, is being used by at least eight separate ransomware gangs.

According to researchers at Sophos, the groups using it include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC. These criminal gangs use such programs to disable antivirus and Endpoint Detection and Response (EDR) systems software meant to detect and stop cyberattacks. Once these protections are switched off, hackers can install ransomware, steal data, move through the network, and lock down devices.


How the Tool Works

The new tool is heavily disguised to make it difficult for security software to spot. It starts by running a scrambled code that “unlocks” itself while running, then hides inside legitimate applications to avoid suspicion.

Next, it looks for a specific type of computer file called a driver. This driver is usually digitally signed, meaning it appears to be safe software from a trusted company but in this case, the signature is stolen or outdated. If the driver matches a name hidden in the tool’s code, the hackers load it into the computer’s operating system.

This technique is called a “Bring Your Own Vulnerable Driver” (BYOVD) attack. By using a driver with security weaknesses, the hackers gain deep control of the system, including the ability to shut down security tools.

The driver pretends to be a legitimate file, sometimes even mimicking trusted products like the CrowdStrike Falcon Sensor Driver. Once active, it terminates the processes and services of security products from well-known vendors such as Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, McAfee, F-Secure, and others.


Shared Development, Not Leaks

Sophos notes that while the tool appears in attacks by many different groups, it is not a case of one stolen copy being passed around. Instead, it seems to be part of a shared development project, with each group using a slightly different version — changing driver names, targeted software, or technical details. All versions use the same “HeartCrypt” method to hide their code, suggesting close cooperation among the groups.


A Common Criminal Practice

This is not the first time such tools have been shared in the ransomware world. In the past, programs like AuKill and AvNeutralizer have been sold or distributed to multiple criminal gangs, allowing them to disable security tools before launching attacks.

The discovery of this new tool is a reminder that ransomware operators are constantly improving their methods and working together to overcome defenses. Security experts stress the need for updated protections and awareness to defend against such coordinated threats.

Read more »
Windows
BYOVD Attack CyberCrime Cybersecurity CyberThreat Vulnerabilities and Exploits Vulnerability Windows

Cybercriminals Target Paragon Partition Manager Vulnerability in BYOVD Attacks

 


It has been reported that threat actors have been actively exploiting a security vulnerability within the BioNTdrv.sys driver of Paragon Partition Manager in ransomware attacks by elevating privileges and executing arbitrary code under the guise of attacks. The CERT Coordination Center (CERT/CC) has identified this zero-day vulnerability as CVE-2025-0289, one of five security flaws discovered by Microsoft during the past year. 

Other flaws have been identified, including arbitrary memory mapping, arbitrary memory write, null pointer dereferences, insecure kernel resource access, and arbitrary memory move vulnerabilities. It is especially concerning that an adversary may be able to exploit this vulnerability. It involves a Microsoft-signed driver, which allows adversaries to take advantage of the Bring Your Own Vulnerable Driver (BYOVD) technique. 

Using this method, attackers can compromise systems regardless of whether Paragon Partition Manager is installed, broadening the attack surface significantly. As BioNTdrv.sys operates at the kernel level, threat actors can exploit these vulnerabilities to execute commands with elevated privileges. This allows them to bypass security measures and defensive software, as attackers can access the system and deploy additional malicious payloads. 

Even though Microsoft researchers have identified all five security flaws, the company can not divulge what ransomware groups have been leveraging CVE-2025-0289 to execute their attacks. They are only aware that it has been weaponized in ransomware operations. A bulletin issued by Microsoft's CERT Coordination Center (CERT/CC) indicated that threat actors have been exploiting this vulnerability to conduct BYOVD-based ransomware attacks. 

According to the CVE-2025-0289 vulnerability, further malicious code within compromised environments can be executed by exploiting this vulnerability to escalate privileges to the SYSTEM level. This vulnerability can be exploited to facilitate the exploitation of BYOVD attacks, even on systems where the affected driver is not installed, and this can result in threat actors gaining elevated privileges and executing malicious code without the protection of security systems in place. 

As part of the identified security flaws affecting BioNTdrv.sys versions 1.3.0 and 1.5.1, CVE-2025-0285 is a flaw in version 7.9.1 which permits the mapping of kernel memory to arbitrary user inputs by not properly validating the length of the input. By exploiting this vulnerability, the user can escalate their privileges even further. 

There is a CVE-2025-0286 vulnerability that exists in version 7.9.1, resulting from improper validation of input controlled by users, which allows attackers to exploit this flaw to execute malicious code on the target machine. An unprivileged code execution vulnerability has been found in version 7.9.1, caused by an insufficient MasterLrp structure in the input buffer, which can result in a null pointer dereference vulnerability. 

Successful exploit allows arbitrary kernel-level code to be executed, facilitating privilege escalation and further misuse. Version 7.9.1 contains a vulnerability in the memmove function. This function fails to properly sanitize user-supplied data, allowing attackers to manipulate kernel memory and escalate privileges. 

Inversion of the CVE-2025-0289 vulnerability, an insecure kernel resource access vulnerability, has been found in version 17 of the Linux kernel due to a failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware during the detection process. By exploiting this vulnerability, attackers can compromise the system. 

This security vulnerability has been addressed by Paragon Software by releasing the updated driver BioNTdrv.sys version 2.0.0 across all products within Paragon Software's Hard Disk Manager suite, including Partition Manager versions 17.45.0 and later versions. This update has been developed to reduce the risks associated with the previously identified security vulnerabilities. 

There is also a dedicated security patch available for 64-bit versions of Windows 10, Windows 11, and Windows Server 2016, 2019, 2022, and 2025 that will provide users with an additional layer of protection against any exploits that might occur in the future, thereby enhancing the level of security. As part of Microsoft's efforts to protect its ecosystem, it has updated its Vulnerable Driver Blocklist, which effectively disables the execution of BioNTdrv.sys versions that are compromised within Windows environments, thereby preventing exploitation. 

Users and enterprises are strongly encouraged to ensure that this protection mechanism is kept in place to prevent exploitation. In light of the ongoing threat posed by these vulnerabilities, especially as a result of ransomware attacks, all users of Paragon Partition Manager and its associated products must update their software as soon as possible to the newest version available. 

As a further precaution, all Windows users should make sure that they enable the Microsoft Vulnerable Driver Blocklist feature as soon as possible. This is because it serves as a critical defense against BYOVD (Bring Your Vulnerable Driver) attacks, where outdated or insecure drivers are leveraged to elicit privileges and compromise a computer system.
Read more »
Rootkit
Avast BYOVD Attack Cyber Attacks Rootkit

Hackers Use Avast Bug to Shut Down Security Tools




A recently discovered campaign of cyberattacks makes use of a vulnerable Avast Anti-Rootkit driver to disable system security mechanisms and gain full control over target machines. With this, hackers can successfully avoid detection by security tools and thus pose a severe threat to users and organizations.


Exploiting a Vulnerable Driver

It is leveraging the so-called "bring-your-own-vulnerable-driver" (BYOVD) technique, where an old version of Avast's Anti-Rootkit driver is used. This kernel-mode driver allows hackers to gain access to essential parts of the system and also disable security defenses. The discovery was made by Trellix cybersecurity researchers.

The malware launching the attack, which is described as a variant of an AV Killer, drops a driver named ntfs.bin in the Windows user folder. It subsequently creates a service named aswArPot.sys using the Service Control tool (sc.exe) for registration and activation of the vulnerable driver.  


Targeting Security Processes

After installing the driver, the malware scans the system based on a hardcoded list of 142 processes associated with popular security tools. Such a list includes software from major vendors like McAfee, Sophos, Trend Micro, Microsoft Defender, and ESET. If it finds a match, the malware issues commands to the driver to terminate such security processes, thus effectively disabling system defenses.


Track of Previous Attacks

This abuse technique of the Avast driver has been seen in past attacks. In 2021, researchers found the same driver being used by Cuba ransomware to enable security tools disabling on victim systems. Trend Micro had discovered this technique while studying AvosLocker ransomware in early 2022.

Adding to the risks, SentinelLabs identified two severe vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in the Avast Anti-Rootkit driver. These flaws, present since 2016, allowed attackers to escalate privileges and disable security measures. Avast addressed these vulnerabilities in 2021 through security updates, but outdated versions of the driver remain exploitable.  


What Should One Do?

To protect against such attacks, security professionals advise that blocking rules based on the digital signatures or hashes of malicious components should be in place. To this end, Microsoft also provides solutions, such as the vulnerable driver blocklist policy, which is enabled automatically on Windows 11 2022 and later devices. Organizations can further bolster protection by using Microsoft's App Control for Business to ensure systems are protected from driver-based exploits.


This campaign is a persistent threat in which the outdated drivers pose the risks, and proactive security measures are emphasized to fight advanced cyberattacks.


Read more »
Sophos report
BYOVD Attack Cyber Attacks EDR GitHub Malware Attack RansomHub Sophos Sophos report

RansomHub Deploys EDRKillShifter Malware to Disable Endpoint Detection Using BYOVD Attacks

 

Sophos security researchers have identified a new malware, dubbed EDRKillShifter, used by the RansomHub ransomware group to disable Endpoint Detection and Response (EDR) systems in attacks leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques. This method involves deploying a legitimate but vulnerable driver on a target device to gain escalated privileges, disable security measures, and take control of the system. 

The technique has gained popularity among various threat actors, including both financially motivated ransomware groups and state-sponsored hackers. The EDRKillShifter malware was discovered during an investigation of a ransomware incident in May 2024. The attackers tried to use this tool to disable Sophos protection on a targeted computer but were unsuccessful due to the endpoint agent’s CryptoGuard feature, which prevented the ransomware executable from running. Sophos’ investigation revealed two different malware samples, both exploiting vulnerable drivers with proof-of-concept code available on GitHub. These drivers include RentDrv2 and ThreatFireMonitor, the latter being part of an obsolete system-monitoring package. 

The malware’s loader execution process follows a three-step procedure. Initially, the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which installs and exploits a vulnerable driver to elevate privileges and disable active EDR processes. Once the driver is loaded, the malware creates a service and enters an endless loop that continuously monitors and terminates processes matching names on a hardcoded target list. Interestingly, the EDRKillShifter variants discovered were compiled on computers with Russian localization, and they exploit legitimate but vulnerable drivers, using modified proof-of-concept exploits found on GitHub. 

Sophos suspects that the attackers adapted portions of these proofs-of-concept and ported the code to the Go programming language. To mitigate such threats, Sophos advises enabling tamper protection in endpoint security products, separating user and admin privileges to prevent the loading of vulnerable drivers, and keeping systems updated. Notably, Microsoft continually de-certifies signed drivers known to have been misused in previous attacks. Last year, Sophos identified another EDR-disabling malware, AuKill, which similarly exploited a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks.
Read more »
Vulnerabilities and Exploits
Antivirus System BYOVD Attack Ransomware Ransomware Gang Vulnerabilities and Exploits

Kasseika Ransomware Employs AntiVirus Driver to Disarm Other Antiviruses

 

Kasseika, a ransomware gang, has become the latest to leverage the Bring Your Own Vulnerable Driver (BYOVD) assault to disable security-related processes on compromised Windows hosts, following groups such as Akira, AvosLocker, BlackByte, and RobbinHood. 

Trend Micro claimed in a research that the technique enables "threat actors to terminate antivirus processes and services in order to deploy ransomware." 

Kasseika, identified by the cybersecurity firm in mid-December 2023, shares similarities with the now-defunct BlackMatter, which formed following DarkSide's disintegration. 

Given that the source code of BlackMatter was never made public after its demise in November 2021, there is evidence to imply that the ransomware strain may have been created by an experienced threat actor who purchased or secured access to the code. 

Modus operandi 

Kasseika attack chains begin with phishing emails to gain access, then drop remote administration tools (RATs) to escalate privileges and propagate across the target network. 

The threat actors have been spotted employing Microsoft's Sysinternals PsExec command-line tool to run a malicious batch script. The script searches for a process called "Martini.exe" and ends it if it is located, thereby guaranteeing the process is only running on one machine. 

The executable's primary task is to disable 991 security tools by downloading and executing the "Martini.sys" driver from a remote server. It is important to note that "viragt64.sys," an authentic signed driver, has been placed on Microsoft's vulnerable driver blocklist and is known as "Martini.sys.” 

The researchers noted that "if Martini.sys does not exist, the malware will terminate itself and not proceed with its intended routine," highlighting the vital role that the driver plays in defence evasion.

After that, "Martini.exe" starts the ransomware payload ("smartscreen_protected.exe"), which uses the RSA and ChaCha20 algorithms to encrypt data. However, not before it terminates all services and processes that are attempting to reach Windows Restart Manager. 

The computer's wallpaper is subsequently modified to display a note requesting a 50 bitcoin payment to a wallet address within 72 hours, or risk paying an additional $500,000 every 24 hours once the deadline elapses. A ransom note is then dumped in every directory that has been encrypted. 

Furthermore, in order to acquire a decryptor, victims are required to send a screenshot of their successful payment to a Telegram channel that is managed by attackers. The Kasseika ransomware also has additional tricks up its sleeve, such as wiping traces of activity from the system's event logs using the wevtutil.exe component.

"The command wevutil.exe efficiently clears the Application, Security, and System event logs on the Windows system," the researchers concluded. "This technique is used to operate discreetly, making it more challenging for security tools to identify and respond to malicious activities.”
Read more »
Spear Phishing Campaign
Backdoor BYOVD Attack Cyber Attacks North Korean Hackers Spear Phishing Campaign

Lazarus Hackers Employed Spear-Phishing Campaign to Target European Workers

 

ESET researchers have spotted the infamous Lazarus APT group installing a Windows rootkit that exploits a Dell hardware driver in a Bring Your Own Vulnerable Driver (BYOVD) attack. 

In a spear-phishing campaign that began in the autumn of 2021 and ran until March 2022, the hackers targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium. 

Exploiting Dell driver for BYOVD assaults 

According to ESET, the malicious campaign was mostly geared toward attacking European contractors with fake job offers. The hackers exploited LinkedIn and WhatsApp by posing as recruiters to deliver malicious components disguised as job descriptions or application forms. 

Upon clicking on these documents, a remote template was downloaded from a hardcoded address, followed by infections involving malware loaders, droppers, custom backdoors, and more. 

The most notable tool delivered in this campaign was a new FudModule rootkit that employs a BYOVD (Bring Your Own Vulnerable Driver) methodology to exploit a security bug in a Dell hardware driver.

The hackers were exploiting the vulnerability tracked CVE-2021-21551 in a Dell hardware driver (“dbutil_2_3.sys”), which corresponds to a set of five flaws that remained susceptible for 12 years before the computer vendor finally published security patches for it. 

The APT group employed Bring Your Own Vulnerable Driver (BYOVD) technique to install authentic, signed drivers in Windows that also contain known vulnerabilities. As the kernel drivers are signed, Windows allowed the driver to be installed in the operating system. However, the hackers can now exploit the driver’s flaws to launch commands with kernel-level privileges. 

Last year in December, Rapid 7 researchers issued a warning regarding this specific driver being a perfect match for BYOVD assaults due to Dell’s inadequate fixes, allowing kernel code execution even on recent, signed versions. It appears that Lazarus was familiar with this potential for exploitation and abused the Dell driver well before threat analysts issued their public warnings. 

“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way,” researchers explained. 

The APT group also delivered its trademark custom HTTP(S) backdoor ‘BLINDINGCAN,’ first unearthed by U.S. intelligence in August 2020 and linked to Lazarus by Kaspersky in October last year. Other tools deployed in the spear-phishing campaign are the FudModule Rootkit, an HTTP(S) uploader employed for secure data theft, and multiple trojanized open-source apps like wolfSSL and FingerText.
Read more »
Subscribe to: Comments (Atom)