[MART] - Daily Diary #609 - BlackByte Ransomware Abuses Legitimate Driver

ctas-mat at appgate.com ctas-mat at appgate.com
Thu Oct 6 22:58:47 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

10/06/2022 - Diary entry #?609:

Covered in multiple of our Daily Diaries, most recently in our Daily Diary #576, BlackByte is one of the many ransomware operations active nowadays. Operating under the ransomware-as-a-service model, BlackByte is notorious for targeting manufacturing, healthcare, and other industries in the U.S. and Europe.

In our Daily Diary #576, we covered a new version of BlackByte’s wall-of-shame blog, revealing an upgrade in BlackByte's extortion model known as “pay-to-delay“ – also observed earlier on LockBit 3.0 blog. After a victim's data is published in their wall-of-shame, they will have three options: extend the countdown timer for 24 hours (costing $5,000 USD), destroy all the stored information (costing $300,000 USD), or download the data (costing $200,000 USD).

Most recently, BlackByte Ransomware was observed using a technique to bypass security products by abusing a known vulnerability in the legitimate vulnerable driver “RTCore64.sys”, affected by an authenticated read/write arbitrary memory vulnerability (tracked as CVE-2019-16098).

To explore the vulnerability during their attacks, they deploy on the victim’s machine and execute the vulnerable driver. Then, BlackByte ransomware abuses the driver to remove callback entries of drivers used by EDR products from kernel memory.

A similar technique was covered before in our Daily Diaries #502 and #588 when AvosLocker abused Avast’s anti-rootkit driver and a ransomware operator abused a video game anti-cheat driver to deploy ransomware. Abusing vulnerable drivers allow malware to execute dangerous operations in an elevated context, for that reason we believe this is becoming a trend among ransomware attacks. We recommend system administrators monitor devices installing outdated (vulnerable) drivers, by marking the machines as suspect and isolating them from the network.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



MART

Malware Analysis and Research Team
Appgate

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20221006/8d0a885a/attachment.htm>

More information about the MART mailing list