Hackers take advantage of Windows driver vulnerabilities to shut down antivirus software

Security firm Sophos has warned that the new ransomware attack used vulnerable Technouse drivers to try to break into Windows systems and then disable running security software. The attack is based on a security vulnerability found in the Techa driver in 2018, which is detailed in CVE-2018-19320.

The driver, which was discarded after Gtech confirmed the error, allowed a malicious attacker to exploit the vulnerability to try to access the device and deploy a second driver in order to kill antivirus products in the system. Sophos says the second driver will spare no effort to kill processes and files belonging to endpoint security products, bypassing tamper protection and enabling ransomware to attack without interference. This is the first time security researchers have observed ransomware shipping a Microsoft co-signed third-party driver to patch the Windows kernel in memory to load its own unsigned malicious driver and remove the security application from kernel space

The ransomware used by the hacker, called RobbinHood, requires victims to pay to unlock their files. If they don’t pay, the price will increase by $10,000 a day, the ransom note scored. The executable file using the Gdrv.sys driver is called Steel.exe, which extracts Windows The file in the temp folder, named ROBNR.exe, extracts two different drivers in turn, one developed by Gigabyte (vulnerable) and the other used to disable antivirus software on compromised devices. Once the vulnerability is exploited, windows driver signature signed is forced to be disabled, allowing a malicious driver to be started.

Sophos says there is nothing to help users prevent the vulnerability from being exploited by hackers, other than the usual practice of keeping it safe in ransomware attacks.

Hackers take advantage of Windows driver vulnerabilities to shut down antivirus software