Ransomware operators leverage a custom antivirus killing p
Normally, Windows security software processes could only be killed by Kernel drivers. In order to prevent the abuse of kernel drivers, Microsoft also implements a driver signature verification mechanism, this means that only kernel drivers co-signed by Microsoft could be installed.
Attackers installed a known vulnerable GIGABYTE driver that has been cosigned by Microsoft and exploited a known vulnerability to disable Microsoft’s driver signature enforcement feature.
“Sophos has been investigating two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted computers just prior to performing the destructive file encryption portion of the attack.” reads the report published by Sophos. “The signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte, has a known vulnerability, tracked as CVE-2018-19320.”
The technique used by the operators consists in:
“In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows,” continues the Sophos’ report. “This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference.”
In the attacks observed by Sophos, the operators deployed an executable named Steel.exe that exploit the CORE-2018-0007 vulnerability in the GIGABYTE gdrv.sys driver.
Once the Steel.exe has terminated security software, the
Technical details about the attacks are reported in the report p