The exact initial access vector used to deploy the malware remains unclear, and no specific information is available regarding the campaign’s scope or intended targets. However, the sophisticated use of BYOVD highlights an alarming trend in the cybersecurity landscape, where threat actors exploit signed but vulnerable drivers to evade detection. This method not only neutralizes protective software but also provides attackers with a stealthy pathway to system control, paving the way for more severe exploits, including ransomware.

This campaign is reminiscent of earlier threats, such as the GHOSTENGINE malware disclosed by Researcher in May, which similarly exploited the Avast driver to disable security measures. These recurring instances underline the critical risk posed by BYOVD techniques emphasizing the need for enhanced monitoring and stricter scrutiny of trusted drivers to safeguard against such exploitation.

Impact

• Security Bypass
• Unauthorized Gain Access

Indicators of Compromise

MD5

• 40439f39f0195c9c7a3b519554afd17a
• a179c4093d05a3e1ee73f6ff07f994aa

SHA-256

• e882af8b945c92e5a7dd337378e6a8bffc2b93f1e2719e853d756123cc8ab947
• 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1

SHA1

• 7fbf4b4dab1cc9ee818b0812f3e4e2bd4a55b1c2
• 5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enabling two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.