Thursday, May 8, 2025
HomeCyber Security NewsBlackbyte Ransomware Bypass EDR Security Using Drive Vulnerability

Blackbyte Ransomware Bypass EDR Security Using Drive Vulnerability

Published on

SIEM as a Service

Follow Us on Google News

The group behind a major ransomware attack, BlackByte ransomware gang has turned to a deadly new method of attack, “Bring Your Own Vulnerable Driver” (BYOVD). 

The reason behind this is that it allows security products to be bypassed by attacks, thus allowing them to breach the system. Over 1,000 drivers used in antivirus software have been exploited because of a vulnerability found in their software.

The vulnerability named CVE-2019-16098 may allow application privileges to be escalated and arbitrary code to be executed by attackers.

- Advertisement - Google News

The cybersecurity experts at Sophos affirmed that the attackers were exposing I/O control codes directly to user-mode processes through the driver the attackers were using.

Hackers can do this without the use of exploits or shellcodes, since kernel memory can be read, written, and executed directly.

Technical Analysis

In order to exploit the security issue, BlackByte effectively disables the drivers that prevent several EDR and antivirus products from functioning properly due to the exploited security vulnerability.

In terms of the BlackByte attack, where the protection system is disabled. While the attack flow is clearly explained the image below:-

BlackByte initially identifies the kernel version in order to select the offsets that are applicable to the kernel ID in the first stage of the attack.

In the next step, the RTCore64.sys file will be placed in the file directory “AppData/Roaming”. After that an unambiguous display name is randomly selected and then a hardcoded name is used to create the service.

Using CVE-2019-16098, the attackers then remove the address of the callback function for the event handler, as well as another parameter called NotifyRoutine, by zeroing it out. 

Hackers are only able to zero out addresses that are associated with AV/EDR drivers for products which support this function. In most cases, the systems are a combination of multiple protective measures.

Drivers for security products often use routines like these in order to collect information on the activity of the system, which is then passed to the security products.

Attackers might aim to remove these callbacks from the memory of the kernel in order to achieve their objectives.

An attacker has the following options when it comes to bypassing this security feature:-

Take advantage of legitimate code signing certificates by stealing them or acquiring them anonymously.

Reading, writing, or executing code in kernel memory by abusing existing signed drivers.

By adding the particular MSI driver to an active blocklist that can be added to the system configuration, administrators will be able to protect themselves against BlackByte’s new security bypassing trick.

Moreover, to identify any rogue driver injections that do not have a hardware match, it is imperative that administrators monitor the installation events of all drivers and scrutinize them on a regular basis.

Also Read: Download Secure Web Filtering – Free E-book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...