Ransomware-wielding attackers have devised a novel tactic for disabling security protections that might get in their way: they are using a deprecated, vulnerable but signed driver to deliver a malicious, unsigned one that allows them to kill processes and files belonging to Windows endpoint security products.
Disabling security solutions
The tactic, as described by Sophos researchers, is used by attackers to deliver the RobbinHood ransomware – infamous for hitting the City of Baltimore and many other local government and municipal targets.
The vulnerable driver they are misusing was created by Taiwan-based motherboard manufacturer Gigabyte, found to be vulnerable in 2018 and later deprecated, but the signing certificate was never revoked (as other software was signed with it).
Sophos does not say how the attackers gained access to the targeted Windows machines, but once on it, they dropped an executable (STEEL.EXE) that consists of several additional files, which are extracted into Windows’s TEMP folder.
The STEEL.EXE application first deploys a driver installer (ROBNR.EXE), which deploys the benign, signed third-party driver (GDRV.SYS) and the criminals’ unsigned kernel driver (RBNL.SYS).
“The properly signed third party GDRV.SYS driver contains a privilege escalation vulnerability as it allows reading and writing of arbitrary memory. The malware authors abuse this vulnerability in order to (temporarily) disable driver signature enforcement in Windows – on-the-fly, in kernel memory. Once driver signature enforcement is disabled, the attackers are able to load their unsigned malicious driver,” the researchers ransomware vulnerable signed driver disable endpoint security
