This devious malware is able to disable your antivirus
>
Threat actors have found a way to disable antivirus (opens in new tab) solutions and different endpoint (opens in new tab) security tools using an increasingly popular method.
Cybersecurity researchers at Sophos recently detailed how the method, known as Bring Your Own Vulnerable Driver, works and the dangers it poses to businesses around the world.
According to the company’s investigation, BlackByte ransomware operators are exploiting a vulnerability tracked as CVE-2019-16098. It is found in RTCore64.sys and RTCore32.sys, drivers used by Micro-Star’s MSI AfterBurner 4.6.2.15658. Afterburner is an overclocking utility for GPUs that gives users more control over the hardware.
Block the drivers
The vulnerability could allow authenticated users to read and write to arbitrary memory, leading to privilege escalation, code execution, and data theft — and in this case, BlackByte helped disable more than 1,000 drivers that require security products.
“There’s a good chance they’ll continue to abuse legitimate drivers to bypass security products,” Sophos said in a statement. blog post (opens in new tab) outlines the threat.
To protect against this new attack method, Sophos suggests that IT administrators add these specific MSI drivers to an active block list and prevent them from running on their endpoints. In addition, they should closely monitor all drivers installed on their devices and regularly check the endpoints to look for rogue injections without a hardware agreement.
Bring Your Own Vulnerable Driver may be a new method, but its popularity is growing rapidly. Earlier this week, a notorious North Korean state-sponsored threat actor Lazarus Group was spotted using the same technique against Dell. Cybersecurity researchers at ESET recently saw the group approach space experts and political journalists in Europe with fake Amazon job listings. They would share fake job description PDFs, which are essentially old, vulnerable Dell drivers.
What makes this technique particularly dangerous is the fact that these drivers are not necessarily malicious and are not flagged as such by antivirus solutions.
Through: BleepingComputer (opens in new tab)