This devious malware is able to disable your antivirus

Threat actors have found a way to disable antivirus solutions and other endpoint protection tools using an increasingly popular method.  ...

Threat actors have found a way to disable antivirus solutions and other endpoint protection tools using an increasingly popular method. 

Cybersecurity researchers from Sophos recently detailed how the method, known as called Bring Your Own Vulnerable Driver, works, and the dangers it brings to businesses around the world.

According to the company’s research, ransomware operators BlackByte are abusing a vulnerability tracked as CVE-2019-16098. It is found in RTCore64.sys and RTCore32.sys, drivers used by Micro-Star’s MSI AfterBurner 4.6.2.15658. Afterburner is an overclocking utility for GPUs, that gives users more control over the hardware. 

Blocking the drivers

The vulnerability allows authenticated users to read and write to arbitrary memory, consequently leading to privilege escalation, code execution, and data theft - and in this case, helped BlackByte disable more than 1,000 drivers that security products need to run. 

“Chances are good that they will continue abusing legitimate drivers to bypass security products,” Sophos said in a blog post outlining the threat.

To protect against this new attack method, Sophos suggests IT admins add these particular MSI drivers to an active blocklist and make sure they aren’t running on their endpoints. Furthermore, they should keep a close eye on all drivers being installed on their devices, and audit the endpoints regularly to look for rogue injections without a hardware match.

Bring Your Own Vulnerable Driver might be a new method, but its popularity is rising, fast. Earlier this week, a notorious North Korean state-sponsored threat actor Lazarus Group was observed using the same technique against Dell. Cybersecurity researchers from ESET have recently seen the group approach aerospace experts and political journalists in Europe with fake job offers from Amazon. They would share fake job description pdfs, which are essentially old, vulnerable Dell drivers. 

What makes this technique particularly dangerous is the fact that these drivers aren’t malicious per se, and as such, are not flagged by antivirus solutions. 

Via: BleepingComputer



from TechRadar - All the latest technology news https://ift.tt/PKJkEev
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,110,Video,5,XIAOMI,13,YouTube - 9to5Google,109,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: This devious malware is able to disable your antivirus
This devious malware is able to disable your antivirus
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2022/10/this-devious-malware-is-able-to-disable.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2022/10/this-devious-malware-is-able-to-disable.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy