A ransomware strain dubbed “RobbinHood” is using a vulnerability in a “legitimate” and signed hardware driver to delete security products from targeted computers before encrypting users files, according to security researchers at Sophos.
The ransomware exploits a known vulnerability in the driver from Taiwan’s GIGABYTE to subvert a setting in kernel memory in Windows 10, 8 and 7, meaning it “brings its own vulnerability” and can attack otherwise patched systems.
(The vulnerability, found and published with proof-of-concept code by SecureAuth’s Diego Juarez in 2018, was disclaimed by the company, which told Juarez “its products are not affected by the reported vulnerabilities.” It later recanted.)
RobbinHood then drops a second, unsigned malicious driver into the system to complete its attack and encrypt files, having first disabled driver signature enforcement by changing a single byte that lives in kernel space. (Hardware drivers let an Operating System talk to a given device. The one in question was distributed with motherboards and graphics cards of the same brand, prior to the driver’s deprecation in early 2019).
The move is the latest worrying sign of how sophisticated ransomware authors are getting at finding ways to circumvent endpoint security protections. It comes after Sophos also spotted that the Snatch ransomware family had started to reboot target computers in “safe mode”, where security software doesn’t typically run.
Mark Loman, Sophos’s director of engineering, said: “Even if you have a fully patched Windows computer with no known vulnerabilities, the ransomware provides the attackers with one that lets them destroy your defenses.”
RobbinHood: Ransomware Authors Get Creative
The privilege escalation vulnerability in the GDRV.SYS driver allows reading and writing of arbitrary memory. The malware authors abuse this vulnerability, tracked as CVE-2018-19320, in order to (temporarily) disable driver signature enforcement in Windows; on-the-fly, in kernel memory. Once driver signature enforcement is disabled, the ransomware, which calls itself RobbinHood, then loads the second, unsigned driver into Windows that kills processes and files belonging to endpoint security products.
The initial driver is from a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte. Verisign, which digitally signed the driver, has not revoked the signing certificate, so the Authenticode signature remains valid. (Verisign has been contacted for comment by Computer Business Review).
The driver runs in kernel mode and is therefore “optimally positioned to take out processes and files without being hindered by security controls”, Sophos notes. Once the attackers make their landing they are then able to disable driver signature enforcement by changing a single variable (a single byte) that lives in kernel space.
“On Windows 7 (or older), this variable is called nt!g_CiEnabled (NTOSKRNL.EXE). On Windows 8 and 10, this variable is called ci!g_CiOptions (CI.DLL). In order to resolve the location of this variable, the attackers use a strategy taken from DSEFix.”
Sophos adds: “On Windows 8 or 10, the trick starts by loading the standard Windows component CI.DLL as a data library using DONT_RESOLVE_DLL_REFERENCES in their process. Once CI.DLL is loaded, they query the location of CI.DLL in kernel memory via the GetModuleBaseByName function.
“It uses NtQuerySystemInformation(SystemModuleInformation …) to get the kernel addresses of all loaded kernel modules.”
Loman said: “This is the first time we have seen ransomware bring its own legitimately signed, albeit vulnerable, third-party driver to take control of a device and use that to disable the installed security software, bypassing the features specially designed to prevent such tampering. Killing the protection leaves the malware free to install and execute the ransomware uninterrupted.”
The full technical write-up is here.