A ransomware gang installs vulnerable GIGABYTE drivers on computers it wants to infect. The purpose of these drivers is to allow hackers to disable them security products, so that their ransomware executable can encrypt files without being detected or stopped.
This new original technique has been detected in two episodes of ransomware so far, according to Sophos.
In both cases, the ransomware was RobbinHood, a "big game" strain of ransomware commonly used in targeted attacks against selected high value goals.
In a report published, Sophos describes this new technique as follows:
- Hackers install the legitimate Gigabyte kernel driver GDRV.SYS program.
- Hackers exploit a vulnerability in this driver to gain access to the kernel.
- The attackers use kernel access to temporarily disable the Windows OS driver signature enforcement program.
- Hackers install a malicious kernel driver program called RBNL.SYS.
- The attackers use this driver program to disable or stop antivirus programs and other security products running on an infected host.
- The hackers execute the RobbinHood ransomware and encrypt the victim's files.
Sophos reports this bypass technique antivirus runs on Windows 7, Windows 8 and Windows 10.
This technique is successful because of how to handle the vulnerability in the driver Gigabyte, leaving a gap that can be exploited by drivers. hackers.
Two parties are to blame for this frustration - first Gigabyte, then Verisign.
Gigabyte's fault lies in the unprofessional way in which it dealt with the vulnerability driver report. Instead of recognizing the problem and releasing a patch, Gigabyte claimed that its products were unaffected.
The company's overt refusal to recognize the vulnerability led researchers who found the error to publish public details of the error, along with the proof-of-concept code for its reproduction. vulnerability. The publication of the code gave the attackers a roadmap to exploit the Gigabyte driver.
When public pressure was put on the company to fix the driver, Gigabyte opted to shut down instead of releasing a patch.
But even if Gigabyte had released a patch, the attackers could simply use an older vulnerable version of the driver. In this case, the driver's signing certificate should have been revoked, so that older ones could not be loaded publications the driver.
"Verisign, whose code signing mechanism was used to digitally sign the driver, has not revoked the signature certificate, so the Authenticode signature remains valid," said Sophos researchers, explaining why loading was still possible today. of a defunct and well-known, vulnerable driver in Windows.
But if we hear about cybercriminals, most of them are copying successful techniques so other ransomware gangs are expected to incorporate this trick into their arsenals, leading to more attacks.