Researchers have warned customers concerning the new BlackByte ransomware marketing campaign that exploits a legit however weak Home windows driver. The ransomware employs this technique to evade detection, making it troublesome to stop the assault.
BlackByte Ransomware Abuses Legit Susceptible Driver In Latest Marketing campaign
In accordance with a current put up from Sophos, the BlackByte ransomware is now using the Convey Your Personal Susceptible Driver (BYOVD) method to focus on methods. As elaborated, the most recent BlackByte ransomware variant exploits the weak RTCore64.sys driver in current campaigns.
BlackByte is a potent malware obtainable as RaaS (ransomware-as-a-service) since 2021. It has employed numerous methods in previous campaigns to execute its assaults. And now, the most recent ransomware variant written in GO language abuses the RTCore64.sys Home windows driver to disable 1000 different drivers that anti-malware options use throughout scans.
This weak driver is utilized by Micro-Star’s MSI AfterBurner graphics card overclocking utility that permits management over the graphics card. The vulnerability in query, CVE-2019-16098, permits an authenticated attacker to learn and write to arbitrary reminiscence, I/O ports, and MSRs. In flip, the attacker can execute codes with excessive privileges on the goal system. Additionally, the signed weak drivers enable evading Microsoft’s driver signing coverage.
Therefore, this vulnerability provides leverage to BlackByte attackers to focus on methods successfully with out fearing detection. They’ll simply manipulate the weak drivers to run the ransomware.
The researchers additionally seen similarities between the BlackByte variant and EDRSandblast device’s EDR bypass implementation.
In accordance with the researchers, after finishing anti-analysis checks, the ransomware makes an attempt to retrieve the Grasp Boot Report file deal with and bypass UAC checks to reboot itself with larger privileges.
The researchers have additionally shared some protection methods to stop BlackByte assaults alongside the detailed technical evaluation. Particularly, they advise customers to replace the put in drivers and keep away from working weak variations. Customers must also hold checking for information about any vulnerabilities to make sure fast driver patches since zero-day vulnerability exploits in drivers are uncommon.
Tell us your ideas within the feedback.
