The security specialists from Sophos uncovered a new scam by the relatively young ransomware gang BlackByte. These use the "Bring Your Own Driver" principle to bypass more than 1.000 drivers used in Endpoint Detection and Response (EDR) solutions industry-wide. Sophos describes the attack tactics, techniques and procedures (TTPs) in the new report “Remove all the Callbacks – BlackByte Ransomware Disables EDR via RTCore64.sys Abuse”.
BlackByte, which was identified as a critical infrastructure threat in a special report by the Secret Service and FBI earlier this year, reemerged in May after a brief hiatus with a new leak site and new extortion tactics. Now the group has apparently also developed new attack methods.
Vulnerability allows EDR deactivation
Specifically, they exploit a vulnerability in RTCorec6.sys, a graphics driver for Windows systems. This particular vulnerability allows them to communicate directly with the target system's kernel and command it to disable the callback routines used by EDR providers, as well as the ETW (Event Tracing for Windows) provider called Microsoft-Windows-Threat-Intelligence . EDR providers use this feature to monitor the use of commonly maliciously abused API calls. Once this feature is disabled, EDR built on top of this feature will also be disabled. Sophos products offer protection against the attack tactics described.
“If you think of computers as a fortress, ETW is the guard at the front gate for many EDR providers. If the guard fails, the rest of the system is extremely vulnerable. And since ETW is used by many vendors, the pool of potential targets for BlackByte is enormous,” commented Chester Wisniewski, Principal Research Scientist, Sophos.
BlackByte ransomware group
BlackByte is not the only ransomware group using Bring Your Own Driver to bypass security solutions. In May, AvosLocker exploited a vulnerability in another driver to disable antivirus solutions.
“In retrospect, it appears that EDR evasion is becoming an increasingly popular technique for ransomware groups, which is not surprising. Threat actors often use tools and techniques developed by “offensive security” to launch attacks faster and with minimal effort. In fact, BlackByte appears to have inherited at least part of its EDR bypass implementation from the open-source tool EDRSandblast,” comments Wisniewski. “Given that cybercriminals are adapting security industry technologies, it is crucial for defenders to monitor new evasion and exploitation techniques and implement countermeasures before these techniques become widespread in the cybercrime scene.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.