BlackByte ransomware has been spotted using a new sophisticated “Bring Your Own Driver” technique to disable security products.
On Tuesday Sophos announced that BlackByte, one of the newer and “heavy-hitter” ransomware gangs, has used a new technique to bypass more than 1,000 drivers used by industry Endpoint Detection and Response (EDR) products.
Recent attacks attributed to this group involved a version of the MSI Afterburner RTCore64.sys driver, which is vulnerable to a privilege escalation and code execution flaw tracked as CVE-2019-16098.
US government has already issued an advisory on BlackByte Ransomware in February 2022 and said it poses a serious threat to critical infrastructure.
BlackByte exploits the security flaw to disable drivers that prevent multiple endpoint detection and response (EDR) and antivirus products from operating normally.
This enabled it to communicate directly with a victim system’s kernel and issue commands to disable callback routines used by EDR tools.
“If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate. If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous,” commented Christopher Budd, senior manager, threat research, Sophos.
Two notable recent examples of Bring Your Own Driver attacks include Lazarus abusing a buggy Dell driver and unknown hackers abusing an anti-cheat driver/module for the Genshin Impact game.
BlackByte is not the only ransomware group using these advanced techniques to get around existing detection tools, illustrating the continued arms race between attackers and defenders. AvosLocker used a similar method in May, Sophos said.
The BlackByte malware also checks for a list of hooking DLLs used by Avast, Sandboxie, Windows DbgHelp Library, and Comodo Internet Security, and terminates its execution if found.
You can protect your system against BlackByte’s new security bypassing trick by adding the particular MSI driver to an active blocklist.