A security flaw has allowed a ransomware gang to effectively prevent antivirus programs from running properly on a system.
As reported by Bleeping Computer, the Blackbyte ransomware group is using a newly discovered method related to the RTCore64.sys driver to crack over 1,000 legitimate drivers.
Security programs that rely on such drivers are therefore unable to detect the breach, a technique labeled by researchers as “bring your own driver”.
Once drivers are locked in by hackers, they can operate under the radar due to their lack of Multiple Endpoint Detection and Response (EDR). Vulnerable drivers are able to pass an inspection via a valid certificate, and they also present higher privileges on the PC itself.
Researchers at cybersecurity company Sophos detail how the MSI graphics driver targeted by the ransomware gang provides I/O control code that can be accessed through user-mode processes. However, this element violates Microsoft’s security guidelines on kernel memory access.
Because of the exploit, threat actors can freely read, write, or execute code within the system’s kernel memory.
Blackbyte is naturally eager to avoid detection so that its hacks can’t be analyzed by researchers, Sophos said — the company pointed to attackers who were looking for any debuggers running on the system and then were leaving.
In addition, the group’s malware scans the system for any potentially hooking DLLs associated with Avast, Sandboxie, the Windows DbgHelp library, and Comodo Internet Security. If one is found by search, BlackByte disables its ability to function.
Due to the sophisticated nature of the technology used by dangerous actors, Sophos warned that they will continue to exploit legitimate drivers to bypass security products. Previously, the “Bring Your Own Driver” method was being used by the North Korean hacking group Lazarus, which involved a Dell hardware driver.
Bleeping Computer sheds light on how system administrators can secure their PC by inserting the MSI driver (RTCore64.sys) that is being targeted into an active blocklist.
Blackbyte’s ransomware attempts first surfaced in 2021, with the FBI insisting that the hacking group was behind some cyber attacks on the government.