September 27, 2020

Ransomware uses Gigabyte drivers vulnerability to directly kill the process of security software

2 min read

Most ransomware may be detected by security software before infection, so how to avoid detection or killing of security software is a headache for hackers.

However, related processes of security software cannot be directly killed. Killing secure software processes also requires kernel-level permissions to operate, but it was never expected that malicious software would actually succeed in gaining kernel-level permissions. This malware is RobbinHood ransomware, which successfully uses kernel-level permissions to kill security software processes.

In order to protect operating system security, Microsoft implements special permission control at the kernel level. Security software requires Microsoft’s common signature to obtain this permission. Security software will not be killed by ordinary processes after obtaining kernel-level permissions.

A Gigabyte driver was co-developed by Microsoft and is therefore signed by Microsoft. Unfortunately, this driver for Gigabyte has a known security vulnerability (CVE-2018-19320).

An attacker can use the vulnerability to disable the forced signature feature of the Microsoft driver, and if disabled, the attacker can customize the installation of malware with kernel permissions.

The developer of RobbinHood ransomware successfully obtained kernel permissions and then killed all security processes on the infected computer.

After killing the security process, RobbinHood ransomware can be operated without interference, including stealing confidential information and encrypting all files and extorting ransom to the victim.

With the rise of the ransomware industry, attackers are now investing more energy in their attacks, and this time using Gigabyte drivers is a superb example of attacks.  It can be said that this attack method bypasses the detection of endpoint protection software.

Via: Sophos