BlackByte ransomware is using the “Bring Your Own Driver” technique to exploit an MSI Afterburner RTCore64.sys driver error, which is tracked as CVE-2019-16098. The flaw is a privilege escalation and code execution flaw.
Exploiting the security issue enabled BlackByte to disable drivers that prevent multiple endpoints from being detected and response (EDR) and antivirus products from performing their normal function.
Security experts from Sophos explained that the attacker provides MSI graphics drivers with I/O control codes that are directly accessible through user-mode processes and violate Microsoft’s security guidelines on kernel memory access security guidelines, allowing attackers to read, write, or execute code in kernel memory without using shellcode or exploit.
Some of the methods that the ransomware uses to evade detection, include searching for clues to a debugger that runs on the target system and quitting, and checking for a list of hooking DLLs that are used by Avast, Sandboxie, Windows DbgHelp Library, and Comodo Internet Security, and terminates its execution if it is found.
To protect against this threat, system administrators can add the respective MSI driver to an active blocklist. Additionally, administrators should monitor and regularly check all driver installation events to find any rogue injections that do not match the hardware.
The sources for this piece include an article in BleepingComputer.
