Project Hyphae
Search

BYOVD Attacks: Strategies and Insights on Vulnerable Driver Exploits

Share This Post

BYOVD (Bring Your Own Vulnerable Driver) attacks involve threat actors using known vulnerable drivers to gain kernel-level privileges on a compromised machine. This access allows them to hide malware, dump credentials, and attempt to disable Endpoint Detection and Response (EDR) solutions. With 364 vulnerable drivers listed on loldrivers.io, these attacks have increased in popularity among ransomware operators and lower-tier attackers. Various campaigns, including RobbinHood and BlackByte ransomware, have exploited legitimate drivers for these purposes.

The emergence of off-the-shelf BYOVD kits, such as the “Terminator” tool advertised on criminal forums, has further facilitated the spread of these attacks. Terminator exploits vulnerabilities in Zemana Anti-Logger or Anti-Malware drivers, allowing attackers to bypass security measures by adding their process to an allow list through specific IOCTL codes. Successful exploitation requires administrative privileges and potentially a User Account Control (UAC) bypass.

In response, vendors like Sophos have investigated and developed protections against variants of these drivers. Meanwhile, threat actors continue to explore new methods, including the development of malicious drivers from scratch.

Mitigations and protection strategies against BYOVD attacks involve a multifaceted approach. Given the legitimate nature of these drivers, simply blocking them can be counter-productive. A proactive stance includes keeping up-to-date with known vulnerable drivers, implementing tamper protection, maintaining Windows security roles hygiene, updating OS and applications, and integrating vulnerable drivers into vulnerability management programs. Sophos emphasizes the importance of behavioral protection rules and Adaptive Attack Protection, alongside the observation that BYOVD attacks do not occur in isolation, highlighting the opportunity to detect and block attacks through the accompanying activities of exploitation, lateral movement, persistence establishment, and privilege escalation.

Links:
https://news.sophos.com/en-us/2024/03/04/itll-be-back-attackers-still-abusing-terminator-tool-and-variants/
https://www.bleepingcomputer.com/news/security/terminator-antivirus-killer-is-a-vulnerable-windows-driver-in-disguise/



Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.