BlackByte Ransomware Detection: Threat Actors Exploit CVE-2019-16098 Vulnerability in RTCore64.sys Driver to Bypass EDR Protection

BlackByte ransomware disabling EDR protection

BlackByte ransomware reemerges in the cyber threat arena exploiting a security flaw in legitimate drivers to disable EDR products on compromised devices. Cybersecurity researchers have revealed that ransomware operators apply an advanced adversary technique dubbed “Bring Your Own Driver” enabling them to bypass security products and spread infection on vulnerable machines.

Detect BlackByte Ransomware Used in the Latest Adversary Campaigns

Cyber defenders admit that ongoing attacks by BlackByte ransomware operators abusing legitimate drivers to bypass security solutions are likely to continue. To help the industry peers with proactive BlackByte Ransomware detection, SOC Prime’s platform curates a set of dedicated Sigma rules developed by our prolific Threat Bounty developer, Nattatorn Chuensangarun.

The detections are compatible with 17 SIEM, EDR, and XDR solutions and are aligned with the MITRE ATT&CK® framework addressing the Execution tactic and the corresponding User Execution technique (T1204). 

Click the Explore Detections button below to instantly access Sigma rules for BlackByte Ransomware detection and dive into comprehensive threat intelligence.

Explore Detections

BlackByte Ransomware Attacks Analysis: New Campaigns Targeting RTCore64.sys Drivers

BlackByte ransomware has been targeting organizations worldwide applying the Ransomware-as-a-Service (RaaS) model since July 2021. The ransomware operators are constantly evolving the malware variant and expanding their adversary toolkit. Originally, the BlackByte ransomware group developed malware strains in the C# programming language and later on applied the upgraded Go-based variants with enhanced file encryption leveraged in cyber attacks against the Swiss-based logistics company in May 2022. In that adversary campaign, the group already applied techniques aimed at disabling security solutions and evading detection. 

Recent research by Sophos unveils a new adversary technique called “Bring Your Own Driver” that enables threat actors to disable EDR solutions through the exploitation of a known vulnerability in RTCore64.sys drivers. The security flaw tracked as CVE-2019-16098 can be exploited for privilege escalation, code execution, and information disclosure. A similar technique was earlier applied by threat actors to spread AvosLocker ransomware variant by abusing the compromised Avast driver, scanning a set of endpoints for Log4Shell, and disabling anti-virus protection. Also, in August 2022, adversaries leveraged this technique to target mhyprot2.sys, a compromised anti-cheat driver for the Genshin Impact game, attempting to disable antivirus processes and spread ransomware samples.

The evasion technique used to drop the novel variant of Blackbyte ransomware allows threat actors to read and overwrite legitimate drivers that EDR products depend on. According to the report by Sophos, the adversary technique is capable of disabling up to 1,000 RTCore64.sys drivers, posing a serious threat to global organizations that leverage this software.

BlackByte ransomware exploits the compromised legitimate devices to remove callback entries leveraged by EDR solutions from kernel memory. As a result, this enables attackers to overwrite the callback function of the vulnerable driver with zeros. The I/O control codes in the abused drivers can be directly accessed by user-mode processes, which allows attackers to abuse the vulnerability and perform read or write operations in kernel memory even without a shellcode or an exploit.

To proactively defend against BlackByte ransomware attacks, immediately reach the entire collection of relevant Sigma rules and their SIEM & XDR translations along with in-depth cyber threat context. Progressive threat researchers eager to enrich the collective industry expertise with their detection content can join Threat Bounty Program and monetize their contributions. Don’t miss out on a brilliant opportunity to build your live professional profile, hone your Sigma and ATT&CK skills, and gain recognition from the global cyber defender community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts