BlackByte ransomware uses new EDR evasion technique

Operators behind BlackByte ransomware developed an advanced technique to bypass security products, according to new research.

In a blog post last week, Sophos threat researcher Andreas Klopsch detailed the new evasion tactic that disables endpoint detection and response (EDR) tools by exploiting a known privilege escalation and code execution vulnerability in a driver called RTCore64.sys. The video driver is used by Micro-Star's MSI AfterBurner 4.6.2.15658, an overclocking tool that gives users extended control over graphic cards.

Operators of BlackByte ransomware, which has been active since 2021, are leveraging the RTCore64.sys vulnerability, tracked as CVE-2019-16098, to target a portion of the Windows OS that guards EDR security products. Sophos noted that no shellcode or exploit is required to abuse the vulnerability.

"Furthermore, we have also identified routines to deactivate the ETW (Event Tracing for Windows) Microsoft-Windows-Threat-Intelligence provider, a feature that provides logs about the use of commonly abused API calls such as NtReadVirtualMemory to inject into another process's memory," Klopsch wrote in the blog post. "This renders every security feature that relies on this provider useless."

The attack technique, which Sophos dubbed "Bring Your Own Driver" (BYOD), can be used against a list of 1,000 drivers and leverages known vulnerabilities to bypass threat detection productors. Sophos noted other recent examples of this technique, including an AvosLocker attack that weaponized an Avast anti-rootkit driver.

During the threat team's analysis, Sophos researchers found multiple similarities between the open-source tool "EDRSandblast" and the BlackByte EDR bypass method. Klopsch described EDRSandblast as "a tool written in C to weaponize vulnerable signed drivers to bypass EDR detections via various methods." Based on these findings, Sophos concluded that BlackByte threat actors "copied code snippets from the open-source tool and reimplemented into the ransomware."

Commonalities included nearly identical functions and a list of known drivers related to security software.

"If we decrypt the kernel offset list from BlackByte, it is almost if not completely identical to the list in the GitHub repository, except that the CSV file header is missing," Klopsch wrote.

Christopher Budd, senior manager of threat research at Sophos, told TechTarget Editorial that the infosec industry should be aware of the attack vector because BlackByte operators are not targeting one specific security vendor. Instead, he described it as a situation where their approach is high level enough, from an architectural standpoint, that it can be applied against any number of security products.

Additionally, obtaining the drivers is not difficult. Budd said threat actors can simply download them from a manufacturer's website.

"Drivers are ubiquitous," Budd said. "Once vulnerable drivers are known to be vulnerable and are patched, the majority of vendors will remove the vulnerable one, so that closes that avenue to you. But these things circulate."

While Sophos has observed the tactic being exploited in the wild, Budd said it is not widespread. However, his primary concern is on its broad applicability. Another concern, Budd said, is the level of sophistication demonstrated since the technique represents someone who understands how operating system kernels work.

"More importantly, [they understand] how security software, how EDR are relying collectively on the same single critical API capability within the operating system," Budd said.