BlackByte ransomware uses new EDR evasion technique

Attackers deploying the BlackByte ransomware strain are using vulnerable drivers to target a part of the operating system that many security products rely on for protection.

Operators behind BlackByte ransomware developed an advanced technique to bypass security products, according to new research.

In a blog post last week, Sophos threat researcher Andreas Klopsch detailed the new evasion tactic that disables endpoint detection and response (EDR) tools by exploiting a known privilege escalation and code execution vulnerability in a driver called RTCore64.sys. The video driver is used by Micro-Star's MSI AfterBurner 4.6.2.15658, an overclocking tool that gives users extended control over graphic cards.

Operators of BlackByte ransomware, which has been active since 2021, are leveraging the RTCore64.sys vulnerability, tracked as CVE-2019-16098, to target a portion of the Windows OS that guards EDR security products. Sophos noted that no shellcode or exploit is required to abuse the vulnerability.

"Furthermore, we have also identified routines to deactivate the ETW (Event Tracing for Windows) Microsoft-Windows-Threat-Intelligence provider, a feature that provides logs about the use of commonly abused API calls such as NtReadVirtualMemory to inject into another process's memory," Klopsch wrote in the blog post. "This renders every security feature that relies on this provider useless."

The attack technique, which Sophos dubbed "Bring Your Own Driver" (BYOD), can be used against a list of 1,000 drivers and leverages known vulnerabilities to bypass threat detection productors. Sophos noted other recent examples of this technique, including an AvosLocker attack that weaponized an Avast anti-rootkit driver.

During the threat team's analysis, Sophos researchers found multiple similarities between the open-source tool "EDRSandblast" and the BlackByte EDR bypass method. Klopsch described EDRSandblast as "a tool written in C to weaponize vulnerable signed drivers to bypass EDR detections via various methods." Based on these findings, Sophos concluded that BlackByte threat actors "copied code snippets from the open-source tool and reimplemented into the ransomware."

Commonalities included nearly identical functions and a list of known drivers related to security software.

"If we decrypt the kernel offset list from BlackByte, it is almost if not completely identical to the list in the GitHub repository, except that the CSV file header is missing," Klopsch wrote.

Christopher Budd, senior manager of threat research at Sophos, told TechTarget Editorial that the infosec industry should be aware of the attack vector because BlackByte operators are not targeting one specific security vendor. Instead, he described it as a situation where their approach is high level enough, from an architectural standpoint, that it can be applied against any number of security products.

Additionally, obtaining the drivers is not difficult. Budd said threat actors can simply download them from a manufacturer's website.

"Drivers are ubiquitous," Budd said. "Once vulnerable drivers are known to be vulnerable and are patched, the majority of vendors will remove the vulnerable one, so that closes that avenue to you. But these things circulate."

While Sophos has observed the tactic being exploited in the wild, Budd said it is not widespread. However, his primary concern is on its broad applicability. Another concern, Budd said, is the level of sophistication demonstrated since the technique represents someone who understands how operating system kernels work.

"More importantly, [they understand] how security software, how EDR are relying collectively on the same single critical API capability within the operating system," Budd said.

BlackByte ransomware on the rise

Recently, Sophos has observed increased levels of BlackByte activity. Budd said the ransomware-as-a-service entity, which prompted a government-issued alert to critical infrastructures in February, has risen on the Sophos's radar.

"Now that the actors behind BlackByte ransomware and this sophisticated technique are back from a brief hiatus, chances are good that they will continue abusing legitimate drivers to bypass security products," Klopsch wrote in the blog post.

One positive highlighted in the blog is that threat actors rarely deploy legitimate drivers with zero-day vulnerabilities, so patching can mitigate the attack technique. However, Budd warned that since it's a BYOD attack, one challenge is essentially the threat actor bringing the vulnerable driver along with the rest of the malware.

"It's going to drop it and load it, then exploit it," Budd said. "There's really two things here. First, you want to keep your drivers up to date, but you also want to keep malware off the system."

Sophos recommended keeping track of security alerts so organizations can stay up to date on which legitimate drivers are currently being exploited by threat actors. Additionally, the blog noted it's important to always keep track of the drivers installed on an operating system.

Next Steps

How to prevent and mitigate process injection

Dig Deeper on Network security