BlackByte Ransomware Bypasses EDR Products via RTCore64.sys Abuse

BlackByte Ransomware Group strikes back with a new variant. Malware authors of the latest variant found a new and sophisticated way to bypass Endpoint Detection and Response (EDR) products by abusing a well-known driver vulnerability, CVE-2019-16098. The new version of Blackbyte ransomware allows adversaries to read and overwrite critical drivers that EDR products rely on to provide protection. 

Picus Threat Library already had attack simulations for earlier variants of BlackByte ransomware. Picus Labs added attack simulations for the latest variants of BlackByte ransomware to Picus Threat Library.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

What Is New in BlackByte Ransomware?

BlackByte Ransomware Group added a sophisticated defense evasion technique that researchers call "Bring Your Own Driver" into their new ransomware variant. This security control bypass technique disables a list of over 1000 drivers that many security solutions depend on to provide protection. The most notable change in the new variant is the exploitation of a vulnerable driver called RTCore64.sys. 

RTCore64.sys is a kernel mode driver used by Micro-Star MSI AfterBurner, a graphics card utility that gives you extended control over graphic cards on the system. In September 2019, a local privilege vulnerability with a CVSS score of 7.8 (High) was found in the driver. CVE-2019-16098 vulnerability allows an authenticated user to read and write to an arbitrary memory in the target system, a commonly leveraged technique across many privilege escalation and/or code execution scenarios.

Deep Dive into the CVE-2019-16098

Analysis shows that the I/O control codes within the Micro-Star MSI AfterBurner's vulnerable driver, RTCore64.sys, can be directly accessible by user-mode processes. Thus, vulnerability exploitation is not technically difficult because adversaries can directly access the control code [1]. The attack flow consists of two main phases. In this section, we are going to dive deep into each phase and sub-stages.

The First Phase

In this phase, BlackByte malware identifies the version of ntokrnl.exe to select the correct matching kernel ID. To extract the version information from the specified file, the ransomware uses the built-in Windows function GetFileVersionInfoW(). Then, the version information gets concatenated to a ntoskrnl_ prefix to form a string. For instance, if the version of the ntokrnl.exe file is 19041-685, then the formed string would look like ntokrnl_19041-685.exe. 

Having that list, malware compares this string against a list of supported kernel IDs, which is decoded in Base64.

Figure 1: Attack flow of the first phase

Then, the list of supported kernel version IDs is embedded into the binary and gets decrypted using a combination of Base64 decoding and 8-byte XOR key decryption. Once the ntoskrnl.exe version is determined, the malware selects the correct offsets that match the kernel ID. This process is especially important for adversaries as they want to choose the correct offsets to the structures in kernel memory.

In the picture above, we see the offsets that are provided for a kernel ID. 

• PspCreateProcessNotifyRoutineOffset
• ntoskrnlVersion
• PspCreateThreadNotifyRoutineOffset
• PspLoadImageNotifyRoutineOffset
• _PS_PROTECTIONOffset
• EtwThreatIntProvRegHandleOffset
• EtwRegEntry_GuidEntryOffset
• EtwGuidEntry_ProviderEnableInfoOffset

Once the kernel ID and the correct offsets are selected, the BlackByte ransomware drops RTCore64.sys in the "AppData\Roaming" folder. The file"s name, RTCore64.sys, is hardcoded into the binary, and its extension gets omitted. 

Then, a service is created. While the service name is always the same, and the display name is selected randomly from a fixed list. Although the names in the list seem concerning, security teams can use them in threat-hunting processes. Some display name examples are given below.

• I'm so lonely, help me.
• Stop doing this, go away, they are waiting for you at home.
• You laugh a lot, because you simply don't have the strength to cry.
• If I had feelings, then I would probably be happy and scared at the same time.
• Who are you? However, it doesn't matter. Nobody ever cares about you.
• AAAAAAAAAAAAAA!!!!!!!!!!!!!!!

The Second Phase

Now that the correct offsets are selected and the service is installed on the victim, the malware starts to remove callbacks from the kernel memory. This is the phase where adversaries exploit the read and write vulnerabilities within the RTCore64.sys drive to remove the Kernel Notify Routine.

Figure 2: Kernel Notify Routine on a High Level

Remember from Figure 1; there were at least three arrays that contain addresses to callback functions. 

Figure 3: Arrays that contain addresses to callback functions

To remove these callbacks, the BlackByte malware needs to complete a three-step attack flow. 

Phase 2 - Step 1: In this step, the malware has to identify the address to the PspCreateProcessNotifyRoutine. Remember how the malware identified the kernel version and selected the correct offsets from the hardcoded list in the first phase of the attack. 

For each array we are iterating, a different offset is used, leading to this particular array. Having this corresponding offset to our array, the BlackByte malware uses the native Windows function called EnumDeviceDrivers() to retrieve the base address of the kernel ntoskrnl.exe. Then, it adds the offset to the kernel base address to retrieve the pointer to the corresponding Notify Routine Array, PspCreateProcessNotifyRoutine, holding all callbacks registered via PsSetCreateProcessNotifyRoutine [1]. 

Figure 4: The process of retrieving the address for the PspCreateProcessRoutine array [1]

Phase 2 - Step 2: In this step, the BlackByte malware has to identify if the callback function belongs to a driver that EDR products rely on.

In Step 1, we explained how the BlackByte malware uses the native Windows function called EnumDeviceDrivers() to fetch the base address of the kernel ntoskrnl.exe. After all base addresses are fetched, each of them gets compared against the callback function address. Having a list of fetched base addresses, the one with the smallest delta to the callback function is passed to another built-in Windows function, GetDeviceDriverBaseNameW(). As the name of the function speaks for itself, it returns the name of the corresponding driver. 

Having the driver's name, BlackByte malware compares it to a long list of over 1000 driver names. If the malware finds a match, it will continue with the last step to remove the callback.

Phase 2 - Step 3: In the final step, the BlackByte malware will remove the callback entry from the PspCreateProcessRoutine array by overwriting it. The process of overwriting is done by calling another built-in Windows function, DeviceIoControl(), to interact with the vulnerable drive, RTCore64.sys. In the end, the element holding the driver's callback function's address gets overwritten with zeros. 

How Picus Helps Simulate BlackByte Ransomware Attacks?

We also strongly suggest simulating BlackByte ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus Complete Security Validation Platform. You can test your defenses against BlackByte ransomware and hundreds of other ransomware such as Clop, Snatch, Black Basta, and many others within minutes with our 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for BlackByte ransomware: 

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address BlackByte ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for BlackByte ransomware:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus' The Complete Security Control Validation Platform.

Indicators of Compromises

References

[1] A. Klopsch, "Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse," Sophos News, Oct. 04, 2022. [Online]. Available: https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/. [Accessed: Oct. 06, 2022]