"Bring your own vulnerable driver(BYOVD)"attack technique is becoming popular among threat actors

Cybercriminal groups and nation-state actors are devising new attack techniques to compromise systems worldwide and bypass security solutions. One of the most effective attack techniques recently used in the wild is known as bring your own vulnerable driver (BYOVD) attack, which threat actors are using to bypass security products.

In BYOVD attacks, threat actors abuse vulnerabilities in legitimate, signed drivers, on which security products rely, to achieve successful kernel-mode exploitation and disable defense solutions.

Recently a couple of BYOVD attacks made the headlines, respectively conducted by a ransomware gang and an Advanced Persistence Threat group (APT). Let’s take a look at these two attacks.

BlackByte ransomware gang uses the BYOVD technique

The first attack was carried out by the BlackByte ransomware gang and recently detailed by researchers at cybersecurity firm Sophos.

Researchers from Sophos?warn?that BlackByte ransomware operators are using a bring your own vulnerable driver (BYOVD) attack to bypass security products.

Sophos experts analyzed a sample of the most recent variant of the ransomware, which is written in Go, and discovered that the threat actors are exploiting a vulnerability in a legitimate Windows driver to bypass security solutions.

“We found a sophisticated technique to bypass security products by abusing a known vulnerability in the legitimate vulnerable driver RTCore64.sys,” reads the?post?published by Sophos. “The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection. Sophos products provide mitigations against the tactics discussed in this article.”

“Bring Your Own Driver” is the name given to this technique — exploiting a targeted system by abusing a legitimate signed driver with an exploitable vulnerability.”

The issue is a privilege escalation and code execution vulnerability, tracked as?CVE-2019-16098?(CVSS score 7.8), that affects the Micro-Star MSI Afterburner RTCore64.sys driver.

The RTCore64.sys and RTCore32.sys drivers are widely used by Micro-Star’s MSI AfterBurner 4.6.2.15658 utility which allows to extend control over graphic cards on the system.

An authenticated user can exploit the flaw to read and write to arbitrary memory, I/O ports, and MSRs, potentially leading to privilege escalation and code execution under high privileges, and information disclosure. The experts explained that signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malware.

The security firm focused its analysis on Kernel Notify Routines used by the loaded drivers to be notified by the kernel of system activity. Security solutions rely on the drivers to collect information about the system activity.

Sophos found multiple similarities between the latest variant of the BlackByte?ransomware?and the EDR bypass implementation used by the?EDRSandblast?open-source tool. The tool allows to abuse vulnerable signed drivers to bypass security systems and evade detection.

The security researchers also identified the kernel routines to deactivate the ETW (Event Tracing for Windows) Microsoft-Windows-Threat-Intelligence provider.

Event Tracing for Windows (ETW) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers. The ETW can be used to log the use of API calls associated with malicious activities such as NtReadVirtualMemory to inject into another process’s memory. An attacker can disable ETW to disable every security features that rely on them.

“Once the anti-analysis checks finish, BlackByte attempts to retrieve a file handle of the Master Boot Record. If failed, the ransomware tries to at least bypass User Access Control and restart itself with higher privileges via CMLUA or CMSTPLUA UAC Bypass.” State Sophos.

Lazarus APT Group uses the BYOVD technique to deploy a rootkit

BYOVD attacks were first employed in the wild by nation-state actors, one of the most recent ones used the technique to deploy a Windows rootkit by relying on an exploit in the Dell firmware driver dbutil_2_3.sys.

The attack was discovered by researchers at the cybersecurity firm ESET, which attributed it to the North Korea-linked APT group Lazarus. According to the experts the technique was used in attacks against an employee of an aerospace company in the Netherlands and a political journalist in Belgium during the autumn of 2021. The attackers opted for a spear-phishing campaign and sent out the messages using malicious Amazon-themed documents as lures.

The attacks caught the attention of the experts because threat actors used a tool that represents the first recorded abuse of the?CVE-2021-21551?vulnerability in Dell DBUtil drivers, which Dell addressed in May 2021.

The attackers employed a dynamically linked library, named FudModule.dll, that tries to disable various Windows monitoring features. The library is used to modify kernel variables and remove kernel callbacks used by the security solutions.

State-sponsored hackers used the tool, in combination with the vulnerability, to disable the monitoring capabilities of all security solutions on compromised machines.

“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.” reads the?post?published by the experts.

The attack chain observed by ESET sees attackers sending job offers to the targets. The employee at the aerospace company in the Netherlands received an attachment via LinkedIn Messaging, while the journalists in Belgium received a document via email. Upon opening the documents, the attack chain started, threat actors were able to deploy multiple malicious tools on each system, including droppers, loaders, fully featured HTTP(S) backdoors, HTTP(S) uploaders, and downloaders. The droppers were trojanized open-source projects that decrypt the embedded payload, in many cases, the attackers side-loaded binaries to run the malicious code.

In these attacks, the Lazarus APT group dropped weaponized versions of?FingerText?and sslSniffer, a component of the?wollf ssl project.

The attackers also employed known malware like?BLINDINGCAN?to establish a backdoor into the compromised infrastructure.

“In this attack, as well as in many others attributed to Lazarus, we saw that many tools were distributed even on a single targeted endpoint in a network of interest. Without a doubt, the team behind the attack is quite large, systematically organized, and well prepared.”

Preventing bring your own vulnerable driver (BYOVD) attacks

To prevent BYOVD attacks, researchers provided the following recommendations:

• Threat actors usually exploit well-known vulnerabilities in the used driver, for this reason, by keeping track of the latest security issues, it is possible blocklist drivers known to be exploitable.
• Always keep track of the drivers installed on your systems and keep them up to date.