The BlackByte ransomware group has commenced a Bring Your Own Vulnerable Driver attack leveraging an MSI Afterburner RTCore64.sys driver flaw, tracked as CVE-2019-16098, BleepingComputer reports.
Exploiting the MSI graphics driver enables easy access to I/O control codes, which could then be used by threat actors to facilitate code reading, writing, and execution in kernel memory even without an exploit or shellcode, a Sophos report revealed. After determining the kernel version with the proper offsets for the kernel ID, BlackByte proceeds to deploy RTCore64.sys in "AppDataRoaming" to create a new service with hardcoded display names. The report also showed that the flaw is then leveraged to enable the removal of Kernel Notify Routines, while fetched callback addresses are then compared with a list of 1,000 targeted drivers. BlackByte has also been monitoring hooking DLLs by Avast, Windows DbgHelp Library, Comodo Internet Security, and Sandboxie to evade detection, added researchers. The findings come after a similar BYOVD method was deployed by Lazarus in recent attacks exploiting a Dell driver.