Ransomware operators leverage a custom antivirus killing p
Normally, Windows security software processes could only be killed by Kernel drivers. In order to prevent the abuse of kernel drivers, Microsoft also implements a driver signature verification mechanism, this means that only kernel drivers co-signed by Microsoft could be installed.
Attackers installed a known vulnerable GIGABYTE driver that has been cosigned by Microsoft and exploited a known vulnerability to disable Microsoft’s driver signature enforcement feature.
“Sophos has been investigating two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted computers just prior to performing the destructive file encryption portion of the attack.” reads the report published by Sophos. “The signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte, has a known vulnerability, tracked as CVE-2018-19320.”
The technique used by the operators consists in:
“In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows,” continues the Sophos’ report. “This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference.”
In the attacks observed by Sophos, the operators deployed an executable named Steel.exe that exploit the CORE-2018-0007 vulnerability in the GIGABYTE gdrv.sys driver.
Once the Steel.exe has terminated security software, the
Technical details about the attacks are reported in the report p
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.