In early October, Sophos security researchers published a report on the detection of a rather sophisticated technique used by threat actors to bypass security systems. The discovered method, which has been attributed to a ransomware group called BlackByte, involves the use of a driver called RTCore64.sys, which is part of the popular graphics card tuning application – MSI Afterburner. The aforementioned file (digitally signed with a valid certificate) is saved on the victim’s device in the ‘AppData\Roaming’ directory and persists in the operating system by creating its own service.
The driver has a vulnerability (CVE-2019-16098) discovered in the second half of 2019, allowing permissions escalation, and reading, writing and executing code in the operating system’s kernel memory. As a result, it is able to read the information about other drivers stored in the memory. This data is then compared with a list of a 1,000 known drivers used by AV/EDR solutions, and if any of them matches, its communication with the operating system kernel is interrupted by modifying memory addresses. This action neutralizes the antivirus system, leaving the infected device unprotected.
Source:
BlackByte ransomware abuses legit driver to disable security products
Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
