Pierluigi Paganini February 08, 2020

The operators behind the infamous RobbinHood ransomware are exploiting a vulnerable GIGABYTE driver to kill antivirus products.

Cybercriminals behind the RobbinHood Ransomware are exploiting a vulnerable GIGABYTE driver to install a malicious and unsigned driver into Windows with the intent of disabling security products.

Ransomware operators leverage a custom antivirus killing package that is delivered to workstations to disable security solution before starting encryption.

Normally, Windows security software processes could only be killed by Kernel drivers. In order to prevent the abuse of kernel drivers, Microsoft also implements a driver signature verification mechanism, this means that only kernel drivers co-signed by Microsoft could be installed.

Now security researchers from Sophos have detailed a new novel technique implemented by threat actors in attacks ([1, 2]) involving two pieces of RobbinHood ransomware.

Attackers installed a known vulnerable GIGABYTE driver that has been cosigned by Microsoft and exploited a known vulnerability to disable Microsoft’s driver signature enforcement feature.

“Sophos has been investigating two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted computers just prior to performing the destructive file encryption portion of the attack.” reads the report published by Sophos. “The signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte, has a known vulnerability, tracked as CVE-2018-19320.”

The technique used by the operators consists in:

1. Attackers get a foothold on the target’s network and install legitimate Gigabyte kernel driver GDRV.SYS.
2. Attackers exploit the CVE-2018-19320 vulnerability in the legitimate driver to gain kernel access.
3. Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement and install a malicious kernel driver named RBNL.SYS.
4. Attackers use this driver to disable security products.
5. Attackers execute the RobbinHood ransomware and attempt to encrypt the files on the infected host.

“In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows,” continues the Sophos’ report. “This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference.”

In the attacks observed by Sophos, the operators deployed an executable named Steel.exe that exploit the CORE-2018-0007 vulnerability in the GIGABYTE gdrv.sys driver.

Experts pointed out that the Steel.exe program terminates processes whose files are included in a file called PLIST.TXT, unfortunately Sophos had mo access to the file and it is not able to determine what security solutions are being targeted.

Once the Steel.exe has terminated security software, the RobbinHood ransomware will encrypt files on the infected systems.

Technical details about the attacks are reported in the report published by Sophos, including Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – RobbinHood ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]