BlackByte ransomware exploit legit driver using BYOD technique

Share post:

BlackByte ransomware is using the “Bring Your Own Driver” technique to exploit an MSI Afterburner RTCore64.sys driver error, which is tracked as CVE-2019-16098. The flaw is a privilege escalation and code execution flaw.

Exploiting the security issue enabled BlackByte to disable drivers that prevent multiple endpoints from being detected and response (EDR) and antivirus products from performing their normal function.

Security experts from Sophos explained that the attacker provides MSI graphics drivers with I/O control codes that are directly accessible through user-mode processes and violate Microsoft’s security guidelines on kernel memory access security guidelines, allowing attackers to read, write, or execute code in kernel memory without using shellcode or exploit.

Some of the methods that the ransomware uses to evade detection, include searching for clues to a debugger that runs on the target system and quitting, and checking for a list of hooking DLLs that are used by Avast, Sandboxie, Windows DbgHelp Library, and Comodo Internet Security, and terminates its execution if it is found.

To protect against this threat, system administrators can add the respective MSI driver to an active blocklist. Additionally, administrators should monitor and regularly check all driver installation events to find any rogue injections that do not match the hardware.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

DOGE’s Teen Hacker Stirs Concern Over Musk Team’s Access to Federal Databases

A 19-year-old named Edward “Big Balls” Coristine has raised red flags after Wired revealed he holds a key...

Deep Seek and Open Source AI – Without the Hype: Discussion with Robert Falzon, Head of Engineering, Check Point

DeepSeek AI is shaking up the cybersecurity world—are we prepared for the risks? Join host Jim Love and...

Researchers Jailbreak DeepSeek AI, Expose System Prompt and Raise Security Concerns

Security researchers at Wallarm have successfully jailbroken DeepSeek, a recently released open-source AI model from China. The jailbreak...

New SMS Phishing Scam Targets U.S. Toll Road Users with Fake Payment Alerts

Brian Krebs of the Krebs on Security blog did a big piece leading with how residents across the...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways