Ransomware uses vulnerable, signed driver to disable endpoint security

Ransomware-wielding attackers have devised a novel tactic for disabling security protections that might get in their way: they are using a deprecated, vulnerable but signed driver to deliver a malicious, unsigned one that allows them to kill processes and files belonging to Windows endpoint security products.

ransomware signed driver

Disabling security solutions

The tactic, as described by Sophos researchers, is used by attackers to deliver the RobbinHood ransomware – infamous for hitting the City of Baltimore and many other local government and municipal targets.

The vulnerable driver they are misusing was created by Taiwan-based motherboard manufacturer Gigabyte, found to be vulnerable in 2018 and later deprecated, but the signing certificate was never revoked (as other software was signed with it).

Sophos does not say how the attackers gained access to the targeted Windows machines, but once on it, they dropped an executable (STEEL.EXE) that consists of several additional files, which are extracted into Windows’s TEMP folder.

The STEEL.EXE application first deploys a driver installer (ROBNR.EXE), which deploys the benign, signed third-party driver (GDRV.SYS) and the criminals’ unsigned kernel driver (RBNL.SYS).

“The properly signed third party GDRV.SYS driver contains a privilege escalation vulnerability as it allows reading and writing of arbitrary memory. The malware authors abuse this vulnerability in order to (temporarily) disable driver signature enforcement in Windows – on-the-fly, in kernel memory. Once driver signature enforcement is disabled, the attackers are able to load their unsigned malicious driver,” the researchers explained.

“Once this driver is installed, STEEL.EXE reads the PLIST.TXT file and instructs the driver to delete any application listed in PLIST.TXT, then killing their associated processes. If the process was running as a service, the service can no longer automatically restart as the associated file has been deleted. Once the STEEL.EXE process exits, the ransomware program can perform its encryption attack without being hindered by the security applications that have been taken out decisively.”

Attack prevention advice

The benign but vulnerable Gigabyte driver was obviously not blacklisted by Microsoft when it was deprecated and the attackers decided to take advantage of this decision.

“There are many other vulnerable drivers (with a similar vulnerability) in addition to the Gigabyte driver that these or other attackers may choose to abuse later, such as ones from VirtualBox (CVE-2008-3431), Novell (CVE-2013-3956), CPU-Z (CVE-2017-15302), or ASUS (CVE-2018-18537),” the researchers worry.

Hopefully, Microsoft will re-consider its current policy for revoking its trust in software that has been deprecated because of security vulnerabilities.

In the meantime, users/organizations should focus on disrupting as many stages in any ransomware attack as possible by deploying a range of technologies, the researchers advised. Use MFA, complex passwords, limit access rights, make regular backups (and keep them offline), lock down your RDP if you don’t need it, and ensure tamper protection for endpoint protection is enabled.

Don't miss