BlackByte hijacks EDR solutions with “Bring Your Own Driver” principle

SophosNews

Share post

The security specialists from Sophos uncovered a new scam by the relatively young ransomware gang BlackByte. These use the "Bring Your Own Driver" principle to bypass more than 1.000 drivers used in Endpoint Detection and Response (EDR) solutions industry-wide. Sophos describes the attack tactics, techniques and procedures (TTPs) in the new report “Remove all the Callbacks – BlackByte Ransomware Disables EDR via RTCore64.sys Abuse”.

BlackByte, which was identified as a critical infrastructure threat in a special report by the Secret Service and FBI earlier this year, reemerged in May after a brief hiatus with a new leak site and new extortion tactics. Now the group has apparently also developed new attack methods.

Vulnerability allows EDR deactivation

Specifically, they exploit a vulnerability in RTCorec6.sys, a graphics driver for Windows systems. This particular vulnerability allows them to communicate directly with the target system's kernel and command it to disable the callback routines used by EDR providers, as well as the ETW (Event Tracing for Windows) provider called Microsoft-Windows-Threat-Intelligence . EDR providers use this feature to monitor the use of commonly maliciously abused API calls. Once this feature is disabled, EDR built on top of this feature will also be disabled. Sophos products offer protection against the attack tactics described.

“If you think of computers as a fortress, ETW is the guard at the front gate for many EDR providers. If the guard fails, the rest of the system is extremely vulnerable. And since ETW is used by many vendors, the pool of potential targets for BlackByte is enormous,” commented Chester Wisniewski, Principal Research Scientist, Sophos.

BlackByte ransomware group

BlackByte is not the only ransomware group using Bring Your Own Driver to bypass security solutions. In May, AvosLocker exploited a vulnerability in another driver to disable antivirus solutions.

“In retrospect, it appears that EDR evasion is becoming an increasingly popular technique for ransomware groups, which is not surprising. Threat actors often use tools and techniques developed by “offensive security” to launch attacks faster and with minimal effort. In fact, BlackByte appears to have inherited at least part of its EDR bypass implementation from the open-source tool EDRSandblast,” comments Wisniewski. “Given that cybercriminals are adapting security industry technologies, it is crucial for defenders to monitor new evasion and exploitation techniques and implement countermeasures before these techniques become widespread in the cybercrime scene.

More at Sophos.com

 


About Sophos

More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.


 

Matching articles on the topic

Companies spend 10 billion euros on cybersecurity

Germany is arming itself against cyber attacks and is investing more than ever in IT and cyber security. In the current year the ➡ Read more

Qakbot remains dangerous

Sophos X-Ops has discovered and analyzed a new variant of the Qakbot malware. These cases first appeared in mid-December and they ➡ Read more

VexTrio: most malicious DNS threat actor identified

A DNS management and security provider has exposed and blocked VexTrio, a complex criminal affiliate program. This increases cybersecurity. ➡ Read more

Ransomware-resistant WORM archives for data backup 

A data archive is a must for every company. Few people know: An active WORM archive can help to streamline data backup, ➡ Read more

A comeback from Lockbit is likely

It is fundamentally important for Lockbit to be visible again quickly. Victims are presumably less willing to pay as long as there are rumors ➡ Read more

LockBit is alive

A few days ago, international law enforcement authorities scored a decisive blow against Lockbit. According to a comment from Chester Wisniewski, Director, Global ➡ Read more

Cyber ​​danger Raspberry Robin

A leading provider of an AI-powered, cloud-delivered cybersecurity platform warns about Raspberry Robin. The malware was first released in the year ➡ Read more

New scam Deep Fake Boss

Unlike classic scams such as the email-based boss scam, the Deep Fake Boss method uses high-tech manipulation ➡ Read more