New Malware Attack, Security Researcher Calls It Can Pass Antivirus On Computer

New malware attacks can penetrate computer antiviral. (photo: doc. pixabay)

JAKARTA - Antivirus is usually a reliable tool of protection when malware is lurking, but it turns out that cyber threat actors have found a way to disable the software.

Research by cybersecurity firm Sophos shows how the method of disabling an antivirus, also known as the Bring Your Own Vulnerable Driver, works and what it does to businesses around the world.

According to the study, the BlackByte ransomware group was found to be the mastermind behind this attack. They involve MSI Afterburner driver versions RTCore64.sys as well as RTCore32.sys which are vulnerable to privilege escalation and code execution defects which are tracked as CVE-2019-16098.

Afterburner is an overclocking utility for GPUs, which gives users more control over the hardware. Given the loophole, it helps BlackByte disable more than 1,000 drivers that security products such as antivirus need to run.

"It's likely that they will continue to abuse legitimate drivers to bypass security products," Sophos explained in a blog post.

To protect against this new method of attack, Sophos recommends IT admins add those custom MSI Afterburner RTCore64.sys and RTCore32.sys drivers to the active block list and ensure they don't work to the endpoint.

Apart from that, they should also keep an eye on all drivers installed on the device, and audit endpoints frequently for malicious injections without hardware matches.

Citing TechRadar, Monday, October 10, Sophos also highlighted some of the methods BlackByte used in this attack to evade analysis from security researchers, such as looking for signs of a debugger running on the target system and stopping.

BlackByte also checks the list of Dynamic-link library (DLL) hooks used by Avast, Sandboxie, Windows DbgHelp Library, and Comodo Internet Security, even stopping their execution if found.

Bring Your Own Vulnerable Driver may be a new method, but its popularity is rapidly increasing. Earlier this week, a well-known North Korean-sponsored threat actor, Lazarus Group, was also found to have used the same technique against Dell-branded firmware drivers.

The spear-phishing campaign opened in the fall of 2021, and confirmed targets include aerospace employees in the Netherlands and political journalists in Belgium by offering fake jobs from Amazon.

According to cybersecurity researcher ESET, which published the report on the campaign, the main objective is espionage and data theft. They will share fake job description pdfs, which are basically old and vulnerable Dell drivers.

What makes this technique so dangerous is that this driver looks harmless, and thus, will not be detected by antiviruses.