Lucifer Brings Cryptojacking and DDoS Attacks to Unpatched Systems

What Is It?

Researchers from Palo Alto Network’s Unit42 have described details about Lucifer, a new cryptojacking malware they discovered at the end of May 2020. Though the author named the malware Satan, this name had already been used for a widely-distributed ransomware variant. To avoid confusion, Unit42 renamed it Lucifer. Differentiating itself from the average cryptojacking malware, Lucifer includes the ability to participate in DDoS attacks and exploits at both infection and propagation vectors. It also possesses command and control (C2) functionality.

Though there are more severe potential consequences for compromised organizations than having infected systems participate in mining Monero crypto currency or DDoS attacks, Lucifer is a timely reminder that patching remains a critical component of a secure cyber security posture. Unit42 researchers actually discovered Lucifer when investigating the exploitation of the CVE-2019-9081 vulnerability in the Laravel Framework. This vulnerability was disclosed in February 2019 and is the most recent of those exploited by Lucifer. Other vulnerabilities exploited are found in web servers, frameworks and Windows including CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, CVE-2018-20062, CVE-2018-7600, CVE-2017-9791, CVE-2017-0144, CVE-2017-0145 and CVE-2017-8464.

Lucifer has multiple self-propagation functions. It contains a hardcoded list of common passwords and attempts to use these to brute force access to systems it scans with Remote Procedure Call (RPC) or MSSQL ports open. If a system has the default SMB port (445) open, Lucifer will attempt to use the DoublePulsar, EternalBlue and EternalRomance backdoors (as leaked by the Shadow Brokers in 2017) to spread. It will also scan for systems vulnerable to the exploits listed earlier.

On June 11, 2020, a new Lucifer variant added functionality to attempt to detect if it is running in a sandbox, along with the addition anti-debugging code and changes to the exploits it contains.

As with the original variant, Lucifer includes three components containing an XMRig miner for x86 systems, a x64 version of XMRig and SMB exploitation functionality.

How Does It Propagate?

Lucifer has several methods of self-propagation. It attempts to exploit a series of previously known vulnerabilities that have been patched within the past one to six years. It will also attempt to brute force logins using a hardcoded password list. Additionally, it attempts to utilize the DoublePulsar, EternalBlue and EternalRomance SMB backdoor exploits.

When/How Did BluVector Detect It?

Samples listed in the report from the first variant are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 34 months prior to their release.


Multiple new StrongPity APT Attacks Exposed

What Is It?

Within days of each other, researchers at both BitDefender and Cisco Talos have released details of separate campaigns attributed to the StrongPity APT (Advanced Persistent Threat) group. This group, also known as Promethium, has been active since 2012 and has continued to operate undaunted, despite numerous previously published research findings, potentially indicating a nation state-sponsored group. The first of these was in October 2016 by Kaspersky and related to attacks against targets in Italy and Belgium during the middle of 2016. This was followed by a report from Microsoft in December 2016 with Microsoft referring to the group as Promethium. Since then, StrongPity have been the subject of reports from ESET in December 2017, Citizen Lab in March 2018, Cylance in October 2018 and Alien Labs in July 2019.

BitDefender’s report concerns attacks against targets in Turkey and Syria beginning in October 2019. However, the location of the infected systems and the timing suggest StrongPity was acting in support of Turkish military activity, though it is unknown whether there is any direct affiliation. A watering hole attack was used to deliver trojanized versions of legitimate applications to users with IP addresses of interest. If a user was not in the target IP range, the legitimate application was provided. Applications include common, popular software such as 7-Zip, WinRAR, Recuva, TeamViewer, CCleaner and even McAfee Security Scan Plus. The purpose of the malware is to scan for files (generally documents) with specified extensions and exfiltrate them. Researchers also noticed the compilation times of the malware suggests that the APT’s actors work during normal business hours, Monday to Friday.

The campaign described by Cisco Talos, which they named StrongPity3, began in July 2019. While the campaign mainly targeted users in Canada, Columbia, India and Vietnam, it has also infected users in Turkey, South Africa, Russia, Poland, Germany, France, Italy and the Netherlands. The focus of the malware remains the same, to locate and exfiltrate all documents from infected systems. They found StrongPity3 utilized trojanized versions of Firefox, VPNPro, 5kPlayer and DriverPack. The trojanized Firefox installer will abort if it determines either BitDefender or ESET anti-virus software is installed on the system.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. StrongPity have frequently used trojanized versions of legitimate applications and watering hole attacks to compromise the target’s systems.

When/How Did BluVector Detect It?

BitDefender’s report contained 133 publicly available samples and Cisco Talos’ report listed 100 publicly available malicious samples. When regression tested, BluVector’s patented Machine Learning Engine (MLE) detected all samples from both campaigns. Average detection was 21 months prior to release in the case of the BitDefender samples and 28 months for the Cisco Talos samples.

Thanos/Hakbit Ransomware Uses RIPlace Evasion Method

What Is It?

A new ransomware, Thanos (named by its creator) was recently described by researchers from Recorded Future as the first ransomware variant that makes use of the RIPlace anti-ransomware evasion method.

Details of the RIPlace evasion method were released by Nyotron researchers in November 2019. Nyotron followed responsible disclosure practices and had advised numerous endpoint security vendors of the issue six months prior to publicly releasing the details. RIPlace allows ransomware to bypass anti-ransomware protections used by endpoint security products and by Windows 10 itself.

RIPlace uses a slight variation on a method that ransomware uses to replace the original file with an encrypted version. This method involves copying the encrypted file data from memory to a new file and then renaming that file to replace the original file. The RIPlace method creates a DOS device name that points to the original file and is passed to the rename command. It requires very little in the way of code changes. RIPlace also bypasses the Controlled Folder Access feature built into Windows 10.

Thanos was first discovered in January 2020 and sold on Russian hacker forums, using the RaaS (Ransomware as a Service) model. Researchers believe that Thanos was originally distributed privately in October 2019. Over time the ransomware has continued to be developed, with newer Thanos variants renamed to Hakbit.

As expected of RaaS malware, subscribers are given access to a tool in order to create their own specific variants of the ransomware. This allows them to choose various options relating to the configuration of the ransomware, including anti-analysis techniques, the filename extensions to encrypt, the filename extension to be added to encrypted files and a specific date and time when the encryption process will begin. This option gives attackers time to wait until the maximum number of endpoints in a network is infected and then have each endpoint encrypt files at the same time for maximum impact. Also optional is the exfiltration of files of certain file types via FTP prior to their encryption, as the threat of releasing these files publicly is then used in order to coerce the victim organization to pay the ransom in a timely manner. The ransomware can also be instructed via configuration to attempt to spread to other systems on the network, using the legitimate PSExec tool and wake-on-LAN magic packets.

One interesting option that attackers should use judiciously is setting a static password for file encryption, rather than the more secure choice of a randomly generated password which is then encrypted with the attacker’s RSA public key. If a static password is used and a sample of the ransomware used to encrypt a given set of files is identified and analyzed, it is highly likely the files could be decrypted. The inclusion of this option may be more appealing to less skilled attackers, for whom the concept of public/private key cryptography might be too advanced.

How Does It Propagate?

If enabled, the malware can make use of the legitimate PsExec command-line tool to copy and execute the ransomware on other network-connected devices. The most common attack vector for most initial ransomware infections remains social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

A total of 42 publicly available samples of Thanos and Hakbit ransomware were listed in the Recorded Future research. BluVector’s patented Machine Learning Engine (MLE) detected them all, with regression testing showing the samples would have been detected an average of 67 months prior to their release.


Naikon APT Targets Asia Pacific Governments

Researchers from Check Point have detailed cyber espionage activities conducted during the past five years by the Naikon APT (Advanced Persistent Threat) group against the governments of Australia, Brunei, Myanmar, Indonesia, Philippines, Thailand and Vietnam.

What Is It?

Naikon have been observed utilizing several methods to infect targets, with the goal of installing their backdoor trojan, which has been named Aria-body. Through an email campaign, attackers use social engineering techniques to try and convince the recipient to open included attachments. The first of these is a RTF (Rich Text Format) document that has been weaponized with a tool called RoyalRoad.

When opened by the user, the attack begins. First, the document drops a downloader onto the user’s device, which then downloads the Aria-body backdoor. Then, a zip file containing a legitimate executable and a malicious downloader DLL file downloads Aria-body. Finally, a RAR archive file containing a legitimate executable and the Aria-body DLL is then downloaded. This last option was potentially used as Naikon were aware that email recipients would not be able to download these files over the internet.

Aria-body is a RAT (Remote Access Trojan), so named due to strings found in the code. It has functionality expected of a RAT, such as creation and deletion of files and directories, taking screenshots, searching for files, executing files and gathering system information. It has also been expanded over time, with variants adding the ability to gather information regarding USB devices, keylogging and a proxy. Gathered data is placed in a zip file which is encrypted with a random eight-character password. The password is then simply obfuscated by XORing it with a single byte and sent as part of the communication with the C2 (command and control) server.

The Naikon APT group was first discovered by researchers at Kaspersky in 2015 and were linked to China’s People’s Liberation Army’s Unit 78020. Their primary focus is gathering intelligence from governments and militaries in the South China Sea and Asia Pacific regions. After a report in September 2015 identified an individual member of Naikon, visible activity from the group appeared to have ceased. However, Checkpoint found that the group has continued to operate and develop new malware. During 2019 and into 2020, Naikon increased the frequency of its attacks.

How Does It Propagate?

The Aria-body malware does not self-propagate. The attack vector is emails containing malicious attachments that utilize social engineering techniques to convince recipients to open them.

When/How Did BluVector Detect It?

The components of these Naikon attacks have been regression tested against BluVector’s patented Machine Learning Engine (MLE). The malicious DLL files would have been detected an average of 55 months prior to their discovery in February and March of 2020 respectively. Though none of the malicious RTF documents used in these attacks are publicly available, recent samples of RoyalRoad RTF documents, similar to those used by Naikon, would have also been detected an average of 55 months prior to their discovery. Publicly available samples of the Aria-body malware used in these attacks would have been detected an average of 48 months prior to their discovery.


Cerberus Attacks Via Mobile Device Manager Server

What Is It?

A variant of the Cerberus banking trojan has been used in a targeted attack on a multinational organization’s mobile phones. Yet, the approach is completely new. Researchers at Proofpoint described an incident where the organization’s Mobile Device Manager (MDM) server was compromised and then used by attackers to infect their Android powered mobile devices with the Cerberus banking trojan. Researchers stated they had not previously seen an MDM server used as the attack vector for mobile malware.

When first executed, Cerberus displays a window purporting to be an update to the Accessibility service. This window will be redisplayed until the user accepts the update. Using the permissions granted to it, the malware is then able to automatically select menu options and bypass user interaction. The malware contacts its command and control server (C2) server to receive commands to upload details regarding the infected device, stolen data and credentials.

Currently, the organization’s MDM server was compromised by unknown means. With control of the MDM server, the attackers quickly began deploying Cerberus and infected 75% of the organization’s Android devices. As Cerberus malware is capable of sending all credentials used on an infected device to the C2, the organization made the decision to factory reset all its mobile devices enrolled with the compromised MDM server. Despite the financial implications of this decision – in terms of the time, resources and lost productivity – this was the only option available to ensure that all traces of the compromise and subsequent infections were removed.

Centralized management of all endpoint devices is commonplace due to the numerous advantages it provides when attempting to manage a large number of devices within a corporate environment. However, there is one significant disadvantage to this approach. If the management server is compromised, all those managed devices are now vulnerable to compromise via software update servers. Most notably, the initial propagation method for the devastating NotPetya malware in 2017 was a software update for a Ukrainian tax accounting product.

First released in June 2019, Cerberus is available to attackers using the highly popular MaaS (Malware as a Service) model. The new variant used in this MDM distribution attack extends the original banking trojan’s capabilities to include RAT (Remote Access Trojan). Cerberus gives attackers access to numerous sensitive information, such as text messages, credentials, call logs, Google Authenticator codes, details on installed applications, the phone unlocking patterns and logs all keystrokes. Full remote access to the infected device is also possible using the TeamViewer app.

How Does It Propagate?

In this case, the Cerberus variant was distributed by the organization’s own compromised MDM server.

When/How Did BluVector Detect It?

Three publicly available Android samples of the Cerberus banking trojan were listed as IOCs and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected 71 months prior to their release.

Asnarök Exploits Compromised Sophos Firewalls

What Is It?

The newly discovered Asnarök malware avoids the most common infection vectors (computer, server or mobile device) for a more uncommon device and informationally valuable device in any organization’s north-south connectivity – a network firewall.

The attackers exploited a previously unknown remote code execution SQL injection vulnerability by inserting a single line command into an existing database table. This command downloaded a shell script from a legitimate-sounding domain name and executed it. This script issued several SQL commands intended to modify the values of certain database elements. The script also created additional scripts, one of which was designed to ensure the malware was executed following each reboot, also known as “persistence.”

One of these additional scripts attempted to download and execute a malicious Linux ELF binary from the same legitimate sounding domain. The binary utilized techniques that are commonly seen in Windows malware, as it would delete itself from the firewall’s disc storage, leaving it only resident in memory and appearing in the process list using a name very close to a legitimate process. At a regular interval, the malware would attempt to connect to a specific IP address or another legitimate sounding domain name. It then attempted to download another Linux ELF binary, used for data exfiltration. A third Linux ELF binary was downloaded which attempted to download a further shell script, though the domain it attempted to contact was not active during the analysis timeframe. However, this domain did lead to Sophos to naming the malware used in this attack as “Asnarök.”

More specifically, this attack exploited a zero-day SQL injection vulnerability in Sophos XG firewalls in order to compromise the device. How was it discovered? After receiving a report from a customer that a suspicious string was visible in the management interface of the firewall, Sophos investigated. As it turned out, the attack caused the injected SQL command to be displayed on the management console on some of the firewall devices, thus alerting vigilant customers to the presence of suspicious activity.

The data exfiltration malware was specifically designed to collect device system information, as well as firewall usernames and encrypted passwords. This data was temporarily stored on the firewall, before being compressed and encrypted using “GUCCI” as a password and uploaded to a specific IP address. Once uploaded, the temporary file was deleted.

With admirable speed, Sophos deployed a hotfix to patch the vulnerability and mitigate any future attacks. They published an article detailing the attack which sought to steal sensitive information from the firewall.

How Does It Propagate?

The Asnarök malware does not self-propagate, the attackers exploited a zero-day SQL injection vulnerability in Sophos XG firewalls in order to compromise the device.

When/How Did BluVector Detect It?

The two publicly available Linux ELF executables samples used in this attack have been regression tested against BluVector’s patented Machine Learning Engine (MLE) and both would have been detected for 72 months prior to their release.

Maze Ransomware Ups the Stakes in Data Exfiltration Release

[Update April 20, 2020] In April 2020, Hammersmith Medicines Research, based in London, was attacked with Maze, just as it was ramping up its conversations with companies about running clinical trials for possible COVID-19 vaccines. As with other ransomware, Maze quickly infected Hammersmith’s systems, encrypting files, demanding a ransom, or, if no ransom happened, the attackers would release the company’s files on the open web.

Maze ransomware made headlines again recently with a successful and highly publicized attack on an extremely large and well-known IT services organization.

What Is It?

First discovered in late May 2019, the ransomware was originally referred to as ChaCha, due to its use of the cryptographic algorithm of the same name. However, the name Maze has been used by its creators and also appears in the ransom note.

Unlike other ransomware, there is no set ransom amount in Maze. Instead, victims need to contact the attackers to be informed of the amount, which is dependent on the number and type of systems encrypted. The text of the ransom note indicates that the attackers have gathered enough information to determine the role of the infected system. It includes the statement, “We know this computer is,” followed by one of six designations, such as “a server in a corporate network” and the generic “valuable for you.”

Maze ransomware uses several techniques to avoid analysis and detection on endpoints. The code contains a hashed list of various process names that it will terminate, including behavioral analysis tools. Other processes, such as database and productivity applications, are terminated to allow their files to be successfully encrypted. The malware will exit if it is running on a system using various Slavic languages. Some variants have also included text strings with messages directed at certain security researchers.

Three main infection vectors have been observed in Maze ransomware attacks. The first is the extremely popular vector of Microsoft Word documents containing malicious macros, resulting in the download and execution of Maze. The popularity of this vector among threat actors is due to its, relatively speaking, high success rate. In addition, the ease of customizing the content in the Word document and the email it is attached to can suit various campaigns or specific organizations. The second vector is compromising internet-facing RDP (Remote Desktop Protocol) connections utilizing poor passwords. The third vector, which has been diminishing in popularity but is still clearly effective, is the use of exploit kits, mainly Spelevo and Fallout.

Maze became more prominent in the latter part of 2019 – notably as the subject of an FBI alert released in late December 2019 - and continues that trajectory into 2020.

Most of the later Maze infections resulted in the attackers exfiltrating data from victims. They use this data to apply additional pressure on victims to pay the ransom by threatening to release the data publicly unless the ransom is paid. This is no idle threat. In November 2019 approximately 700MB of files were stolen from Allied Universal, a large facilities management company. Maze attackers told Bleeping Computer they asked for US$2.3 million in ransom. Allied Universal replied that it would pay no more than $50,000. So, the attackers released those stolen documents publicly.

Data from other Maze victims, including wire and cable manufacturer Southwire and the City of Pensacola, have also been released. In those cases, the attackers released 2GB of files out of the 32GB they claimed to have stolen. This technique has since been adopted by ransomware including Nefilim, CLOP and Sekhmet.

How Does It Propagate?

Though Maze does not contain the necessary code to self-propagate, it is capable of encrypting all attached network shares on an infected system. Maze infections generally utilize one of three main attack vectors, malicious Word documents attached to spam, poorly secured internet-facing RDP connections and exploit kits.

When/How Did BluVector Detect It?

Several recent, publicly available samples of Maze ransomware have been regression tested against BluVector’s patented Machine Learning Engine (MLE) and would have been detected an average of 71 months prior to their release.


MBRLocker Attackers Using COVID-19 Lures

What Is It?

Recently BleepingComputer reported on a number of new variants of MBRLocker malware, which have been sourced to a tool that was made available via YouTube and Discord. At least one of these used the COVID-19 pandemic as a lure. Due to the tool’s ease of use, the creators of these variants are believed to be “script kiddies” who are confined and looking for ways to “entertain” themselves.

The term “script kiddies” was long ago coined to refer to individuals who lacked the technical skills and understanding to develop their own malicious code and instead made use of existing malware. Often these individuals are young, hence the term.

The installer for the COVID-19 variant of MBRLoader uses the filename “COVID-19.exe” and makes coronavirus references including extracting itself to a “COVID-19” directory in the root directory. Once installed, it configures itself to start on boot up and restarts the system. On reboot an image file showing a rendering of the coronavirus itself along with text that states, “coronavirus has infected your PC!” Security researchers found that the malware makes a backup copy of the current Master Boot Record (MBR) and then overwrites the Windows-based device’s MBR with a custom version. The device then reboots again with a new MBR displaying a screen stating, “Your Computer Has Been Trashed.” On the surface, this statement appears to be true. Thankfully, the reality isn’t so bad.

Reverse engineering performed by researchers at Avast found a built-in backdoor that can easily revert the system back to its original MBR. The backdoor is activated by pressing the CTRL, ALT and ESC keys at the same time. The backdoor is a case of simple if you know how, you can easily fix it. For victims unaware of this, particularly with the current global stresses, being unable to boot into their Windows system (personal or work machines) represents a significant potential for disruption.

Numerous variants have been identified, all using different MBR screens and messages, including popular memes. It is believed that, in general, these variants are being distributed privately, however it is entirely possible they will be used maliciously in public distribution. As such, it would be prudent to keep the backdoor key sequence in mind in case you or your users are infected with MBRLocker.

How Does It Propagate?

While the distribution mechanism is not currently known, it would likely utilize social engineering lures including references to the coronavirus pandemic. The malware does not contain the necessary code to self-propagate.

When/How Did BluVector Detect It?

Seven samples of these MBRLocker variants were listed and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average 54 months prior to release.

Malware Referencing Coronavirus

What Is It?

Since the first reports of coronavirus began emerging in early January 2020, it was guaranteed that cyber attackers would attempt to leverage the subject as part of the social engineering aspects of their attacks. This is especially true now that coronavirus has altered the lives of billions of people in unprecedented ways.

Social engineering is the act of exploiting human psychology in order to gain a desired outcome. It is not exclusively limited to cyberattacks, though they are often mistakenly linked. In the case of attacks referencing coronavirus, attackers attempt to exploit potential victims’ understandable fears, concerns and heightened desire for news. Attackers are also aware that given the stresses and upheavals that the impact of coronavirus is having, potential victims may exercise less caution when reading their email and thus be more susceptible to basic social engineering techniques.

In fact, in many of the campaigns referencing coronavirus, only the social engineering component has evolved. The underlying malware used in these attacks were new variants of existing malware families that were already detected by BluVector’s patented Machine Learning Engine (MLE).

Emotet, Nanocore and Parallax in Spam

The Cisco TALOS team found malicious spam email campaigns attempting to spread variants of Emotet trojan, Nanocore RAT (Remote Access Trojan) and Parallax RAT. They also discovered a piece of destructive wiper malware where the filename translated into English was "coronavirus.exe." Their research included a list of 90 publicly available sample files related to these campaigns. All of the samples were detected by BluVector’s MLE with regression testing showing a detection average of 31 months prior to their release.

Another, unrelated Emotet campaign using a coronavirus lure was associated with four publicly available files, which our BluVector MLE regression testing showed would also have been detected 31 months prior to their release.

Folding@Thome Campaign Offers Info-stealing Trojan

Proofpoint researchers discovered a new information and credential stealing trojan named “Redline Stealer,” which was being offered for sale on Russian underground forums. In early March, an email campaign pretended to be sent by the genuine distributed computing project Folding@home, though it was misspelt as Folding@Thome. In the email body, users were asked to put their unused computer processing power to help to fight coronavirus. Clicking the link resulted in the installation of Redline Stealer, which is capable of collecting sensitive data from browsers and other applications along with the downloading and running of files. Of the two publicly available samples, BluVector’s MLE detected both at an average of 29 months prior to their release.

APT36 Targeting India-based Government Entities

Researchers at Malwarebytes found a spear phishing email campaign they have attributed to the APT36 group, which is believed to be Pakistan-based and focused on attacking India-based government entities. The attached malicious documents claim to be a health advisory from the Indian government, but contain macros resulting in the installation of a variant of Crimson RAT. This malware creates a backdoor on infected systems and is used to extract credentials and exfiltrate data files. When regression testing was performed on the four publicly available samples related to this campaign, all were detected by BluVector’s MLE at an average of nine months prior to their release.

Remcos RAT Pretends to be Safety PDF

A submission to their free Yomi Hunter sandbox service, led researchers from Cybaze/Yoroi Zlab to a file with the clearly suspicious name of CoronaVirusSafetyMeasures_pdf.exe. They found this sample to be an obfuscated dropper for the Remcos RAT, one of its main functions being the logging of keystrokes, along with audio and video capture. Regression testing found the sample was detected by BluVector’s MLE at 74 months prior to its release.

Coronavirus Map Site Delivers AZORult

Researchers at Reason Security found a sample where attackers had weaponized an application that displays a map of global coronavirus infections. This application, while displaying the map, installs a variant of the AZORult information stealer in the background. AZORult is capable of extracting stored credentials, credit card number and other information, including cryptocurrency wallets. Regression testing found the six samples listed were detected by BluVector's MLE at an average of 23 months prior to their release.

RobbinHood Ransomware Utilizes Gigabyte Driver Vulnerability

What Is It?

A new RobbinHood ransomware variant makes use of a benign Windows driver file containing a known vulnerability. In this case, the ransomware exploits this vulnerability in order to kill running processes and files of various endpoint security software, allowing the ransomware component to run unhindered.

It’s a good example of the continuous evolution and innovation of malicious attackers in order to ensure their malware is able to evade detection by various security products and infrastructure. Most often, these efforts are directed towards evasion of detection on the endpoint itself. In recent days, numerous reports have referenced research detailed by Sophos into this new Robbinhood ransomware variant, a new example of endpoint detection evasion.

To be effective, Windows security products take steps to ensure their running processes cannot simply be terminated by other processes and users. This can only be achieved by utilizing kernel mode drivers, which execute with the highest privilege levels. To limit the possibility of malicious kernel mode drivers being loaded, 64-bit versions of Windows Microsoft implemented what they call “driver signature enforcement,” which requires that the driver must be digitally signed by both the vendor and Microsoft themselves.

However, a driver created by Gigabyte, the well-known Taiwanese manufacturer of motherboards and graphics cards, contains a known vulnerability (CVE-2018-19320). This vulnerability, along with proof-of-concept code, was made public in late 2018. Despite the time which has passed since this public disclosure, the digital signing certificate had not been revoked, therefore the driver was still considered valid by Windows.

By exploiting the vulnerability, attackers were able to temporarily disable driver signature enforcement and load their own malicious driver. Once the malicious driver is loaded, it uses a hardcoded list of security product processes to terminate and then it deletes the files associated with those process, so they cannot be restarted. At this point, the ransomware payload is free to encrypt files.

The Gigabyte driver used in this attack is not the only driver with a vulnerability of this type, so there is the potential for other attackers to attempt to use a similar technique. Again, this technique attempts to evade endpoint detection and protection mechanisms, BluVector’s real-time, network-based detection efficacy is not impacted.

How Does It Propagate?

The RobbinHood malware does not contain the necessary code to self-propagate. The most common attack vector for ransomware is social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

There are three malicious samples related to this malware, BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 56 months prior to their release. The main malicious sample contains the other two malicious samples within itself and this sample would have been detected 75 months prior to its release.