This devious malware is able to disable your antivirus
Hackers have found a way to disable a victim’s antivirus
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Threat actors have found a way to disableantivirussolutions and otherendpointprotection tools using an increasingly popular method.
Cybersecurity researchers from Sophos recently detailed how the method, known as called Bring Your Own Vulnerable Driver, works, and the dangers it brings to businesses around the world.
According to the company’s research,ransomwareoperators BlackByte are abusing a vulnerability tracked as CVE-2019-16098. It is found in RTCore64.sys and RTCore32.sys, drivers used by Micro-Star’sMSIAfterBurner 4.6.2.15658. Afterburner is an overclocking utility for GPUs, that gives users more control over the hardware.
Blocking the drivers
The vulnerability allows authenticated users to read and write to arbitrary memory, consequently leading to privilege escalation, code execution, and data theft - and in this case, helped BlackByte disable more than 1,000 drivers that security products need to run.
“Chances are good that they will continue abusing legitimate drivers to bypass security products,” Sophos said in ablog postoutlining the threat.
To protect against this new attack method, Sophos suggests IT admins add these particular MSI drivers to an active blocklist and make sure they aren’t running on their endpoints. Furthermore, they should keep a close eye on all drivers being installed on their devices, and audit the endpoints regularly to look for rogue injections without a hardware match.
Installing gaming drivers might leave your PC vulnerable to cyberattacks>Lazarus hackers target Dell drivers with new rootkit>Protect from threats with the best malware removal solutions
Bring Your Own Vulnerable Driver might be a new method, but its popularity is rising, fast. Earlier this week, a notorious North Korean state-sponsored threat actor Lazarus Group was observed using the same technique againstDell. Cybersecurity researchers from ESET have recently seen the group approach aerospace experts and political journalists in Europe with fake job offers fromAmazon. They would share fake job description pdfs, which are essentially old, vulnerable Dell drivers.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
What makes this technique particularly dangerous is the fact that these drivers aren’t malicious per se, and as such, are not flagged by antivirus solutions.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Dangerous Android banking malware looks to trick victims with fake money transfers
Sophos Firewall hack on government network used an all-new custom malware
Watch out, Nvidia - new benchmarks suggest Apple M4 Ultra could beat the mighty RTX 4090
