Users of drivers developed by Taiwanese company GIGABYTE contain a known vulnerability that is being exploited by groups of threat actors to infect targeted computers with the ransomware variant known as RobbinHood, as mentioned by network security specialists.
In addition, by attacking these legitimate
hardware drivers the hackers are also able to remove the security tools
(antivirus) from the infected systems to subsequently encrypt the files in a
second attack stage.
The attack is completed by inserting a second malicious driver into the compromised system after disabling the legitimate driver signature application, which requires changing a single byte into the kernel. According to network security experts, these hardware drivers allow the operating system to communicate with a particular device. The target driver for this attack was distributed with GYGABYTE motherboards and graphics cards before it stopped working in early 2019.
This is the most recent and innovative attack
method shown by hackers, and it is also a security alert for researchers and
system administrators, as it is a really functional way to evade even the most
complex endpoint security tool: “This attack variant can even eliminate
protection measures on fully updated Windows
systems without known vulnerabilities,” says Mark Loman, network security
specialist from Sophos.
The vulnerability exploited on the controller
(CVE-2018-19320) is an escalation of privileges and allows arbitrary reading
and writing in system memory. Exploiting this flaw allows temporary disabling
of driver signature on Windows systems. After disabling the signature,
RobbinHood loads the second controller into the attacked system.
According to Loman, this is the first time that
a Sophos research team has worked with a ransomware variant that contains its
own third-party driver with a legitimate signature to compromise a security
software: “Completely remove the Protections allows the free installation
of any malware variant and run it smoothly”, concludes the expert.
The International Institute of Cyber Security (IICS)
mentions that ransomware remains the main threat to computer users. The trend
in the use of this malware increased considerably during 2019, and the early
days of 2020 seem to foretell similar behavior.