![]() ![]() Klopsch described EDRSandblast as "a tool written in C to weaponize vulnerable signed drivers to bypass EDR detections via various methods." Based on these findings, Sophos concluded that BlackByte threat actors "copied code snippets from the open-source tool and reimplemented into the ransomware."Ĭommonalities included nearly identical functions and a list of known drivers related to security software. Sophos noted other recent examples of this technique, including an AvosLocker attack that weaponized an Avast anti-rootkit driver.ĭuring the threat team's analysis, Sophos researchers found multiple similarities between the open-source tool "EDRSandblast" and the BlackByte EDR bypass method. The attack technique, which Sophos dubbed "Bring Your Own Driver" (BYOD), can be used against a list of 1,000 drivers and leverages known vulnerabilities to bypass threat detection productors. "This renders every security feature that relies on this provider useless." "Furthermore, we have also identified routines to deactivate the ETW (Event Tracing for Windows) Microsoft-Windows-Threat-Intelligence provider, a feature that provides logs about the use of commonly abused API calls such as NtReadVirtualMemory to inject into another process's memory," Klopsch wrote in the blog post. ![]() Sophos noted that no shellcode or exploit is required to abuse the vulnerability. Operators of BlackByte ransomware, which has been active since 2021, are leveraging the RTCore64.sys vulnerability, tracked as CVE-2019-16098, to target a portion of the Windows OS that guards EDR security products.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |