Malware That Deactivates Antivirus Software

Threat actors have discovered a way to disable antivirus software and other endpoint security products via an increasingly common technique. Additionally, Sophos cybersecurity researchers recently described how the technique called "Bring Your Own Vulnerable Driver" works and the risks it poses to businesses all across the world.

Sophos' research

Research conducted by the company indicates that BlackByte is leveraging the CVE-2019-16098 vulnerability to spread ransomware. In addition, one can find the malware in the drivers used by MSI AfterBurner 4.6.2.15658 from Micro-Star - RTCore64.sys and RTCore32.sys. For those unaware, AfterBurner is an overclocking tool for GPUs that gives customers additional control over the hardware. Furthermore, the flaw enables authorized users to read and write to arbitrary memory, which can result in privilege escalation, code execution, and data theft. Additionally, in this situation, BlackByte was able to utilize the flaw to deactivate more than 1,000 drivers required for the operation of security products. Moreover, in a blog post describing the issue, Sophos stated, "Chances are good that they will continue abusing legitimate drivers to bypass security products." Additionally, Sophos advises IT admins to add these specific MSI drivers to an active blocklist and make sure they aren't running on their endpoints to defend against this new attack technique. They should also keep a close eye on any drivers installed on their devices and routinely audit the endpoints to check for rogue injections that don't match the hardware.

More details

Bring Your Own Vulnerable Driver is a relatively new technique, but interest in it is growing quickly. Besides, the infamous Lazarus Group, a well-known North Korean state-sponsored threat actor, used a similar method against Dell earlier this week. In addition, ESET's cybersecurity experts have recently observed the gang approaching political journalists and aerospace experts in Europe with fake employment offers from Amazon. And for that, they shared fake job description pdfs, which are essentially outdated and vulnerable Dell drivers. Last but not least, this method is particularly risky because antivirus programs do not detect these drivers because they are not harmful in and of themselves.