Security News > 2022 > January > Delivering vulnerable signed kernel drivers remains popular among attackers

ESET researchers took an in-depth look into the abuse of vulnerable kernel drivers.

Among the various types of kernel drivers are "Software" drivers that provide specific, non-hardware related features like software debugging and diagnostics, system analysis, etc.

Although directly loading a malicious, unsigned driver is no longer possible in the newer versions of Windows, and kernel rootkits are considered to be a thing of the past, there are still ways to load malicious code into the kernel, especially by abusing legitimate, signed drivers.

The vulnerabilities most frequently observed in kernel drivers Failures to add checks that restrict read and write access to critical model-specific registers.

"When malware actors need to run malicious code in the Windows kernel on x64 systems with driver signature enforcement in place, carrying a vulnerable signed kernel driver seems to be a viable option for doing so. This technique is known as Bring Your Own Vulnerable Driver, abbreviated as BYOVD, and has been observed being used in the wild by both high-profile APT actors and in commodity malware," explains Peter Kálnai, Senior Malware Researcher at ESET, and one of the co-investigators of this research.

Examples of malicious actors using the BYOVD technique include the Slingshot APT group, which implemented their main module, called Cahnadr, as a kernel-mode driver that can be loaded by vulnerable signed kernel drivers.

News URL

https://www.helpnetsecurity.com/2022/01/13/vulnerable-signed-kernel-drivers/