Blackbyte Ransomware Bypass EDR Security Using Drive Vulnerability

The group behind a major ransomware attack, BlackByte ransomware gang has turned to a deadly new method of attack, “Bring Your Own Vulnerable Driver” (BYOVD). 

The reason behind this is that it allows security products to be bypassed by attacks, thus allowing them to breach the system. Over 1,000 drivers used in antivirus software have been exploited because of a vulnerability found in their software.

The vulnerability named CVE-2019-16098 may allow application privileges to be escalated and arbitrary code to be executed by attackers.

The cybersecurity experts at Sophos affirmed that the attackers were exposing I/O control codes directly to user-mode processes through the driver the attackers were using.

Hackers can do this without the use of exploits or shellcodes, since kernel memory can be read, written, and executed directly.

Technical Analysis

In order to exploit the security issue, BlackByte effectively disables the drivers that prevent several EDR and antivirus products from functioning properly due to the exploited security vulnerability.

In terms of the BlackByte attack, where the protection system is disabled. While the attack flow is clearly explained the image below:-

BlackByte initially identifies the kernel version in order to select the offsets that are applicable to the kernel ID in the first stage of the attack.

In the next step, the RTCore64.sys file will be placed in the file directory “AppData/Roaming”. After that an unambiguous display name is randomly selected and then a hardcoded name is used to create the service.

Using CVE-2019-16098, the attackers then remove the address of the callback function for the event handler, as well as another parameter called NotifyRoutine, by zeroing it out. 

Hackers are only able to zero out addresses that are associated with AV/EDR drivers for products which support this function. In most cases, the systems are a combination of multiple protective measures.

Drivers for security products often use routines like these in order to collect information on the activity of the system, which is then passed to the security products.

Attackers might aim to remove these callbacks from the memory of the kernel in order to achieve their objectives.

An attacker has the following options when it comes to bypassing this security feature:-

Take advantage of legitimate code signing certificates by stealing them or acquiring them anonymously.

Reading, writing, or executing code in kernel memory by abusing existing signed drivers.

By adding the particular MSI driver to an active blocklist that can be added to the system configuration, administrators will be able to protect themselves against BlackByte’s new security bypassing trick.

Moreover, to identify any rogue driver injections that do not have a hardware match, it is imperative that administrators monitor the installation events of all drivers and scrutinize them on a regular basis.

Also Read: Download Secure Web Filtering – Free E-book