Security News > 2020 > February > Ransomware uses vulnerable, signed driver to disable endpoint security

Ransomware-wielding attackers have devised a novel tactic for disabling security protections that might get in their way: they are using a deprecated, vulnerable but signed driver to deliver a malicious, unsigned one that allows them to kill processes and files belonging to Windows endpoint security products.

The vulnerable driver they are misusing was created by Taiwan-based motherboard manufacturer Gigabyte, found to be vulnerable in 2018 and later deprecated, but the signing certificate was never revoked.

The STEEL.EXE application first deploys a driver installer, which deploys the benign, signed third-party driver and the criminals' unsigned kernel driver.

"The properly signed third party GDRV.SYS driver contains a privilege escalation vulnerability as it allows reading and writing of arbitrary memory. The malware authors abuse this vulnerability in order to disable driver signature enforcement in Windows - on-the-fly, in kernel memory. Once driver signature enforcement is disabled, the attackers are able to load their unsigned malicious driver," the researchers explained.

"Once this driver is installed, STEEL.EXE reads the PLIST.TXT file and instructs the driver to delete any application listed in PLIST.TXT, then killing their associated processes. If the process was running as a service, the service can no longer automatically restart as the associated file has been deleted. Once the STEEL.EXE process exits, the ransomware program can perform its encryption attack without being hindered by the security applications that have been taken out decisively."

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/3jNAmM_5FoE/