Credential theft alert! Venak Safety discovers a BYOVD assault utilizing .SYS drivers to bypass Home windows safety. Learn the way this assault steals person information and positive factors management.
A current investigation by Venak Safety uncovered an assault situation that leverages a vulnerability inside a kernel-level driver related to Checkpoint’s ZoneAlarm antivirus software. The susceptible driver, vsdatant.sys, model 14.1.32.0, with an MD5 hash of 190fe0ce4d43ad8eed97aaa68827e2c6, was the core element of the exploit.
This driver was initially launched in 2016 and have become a degree of entry for malicious actors using a way referred to as “Bring Your Own Vulnerable Driver” (BYOVD). This technique allowed the attackers to realize elevated privileges throughout the compromised methods, successfully bypassing essential Home windows safety features, together with Reminiscence Integrity- a Home windows safety characteristic that makes use of virtualization to safeguard the system’s reminiscence from malicious code and drivers.
Researchers famous that BYOVD has develop into a favoured device amongst cybercriminal teams looking for to disable Endpoint Detection and Response (EDR) merchandise. In your data, the BYOVD method entails introducing susceptible drivers onto focused methods and exploiting them to execute malicious code on the kernel stage. A key facet of this system is the abuse of digitally signed drivers. As a result of these drivers carry legitimate signatures, they seem legit to safety software program, successfully bypassing detection.
As per Venak Safety’s research, the assault begins with a malicious e mail containing a Dropper, which downloads and executes a script that installs the susceptible driver (.SYS file) and registers it as a service.
The driving force interrupts Core Isolation and removes course of safety. The attacker then extracts person credentials, sends them to a Command and Management Server, and makes use of Distant Desktop to realize persistent management of the compromised machine. This picture demonstrates how this assault was applied:
Researchers famous that whereas Reminiscence Integrity isolates protected processes inside a virtualized setting, making it troublesome for attackers to inject malicious code, the susceptible vsdatant.sys driver allowed the attackers to bypass these protections, rendering the characteristic ineffective.
Since vsdatant.sys options high-level kernel privileges, the vulnerability allowed the attackers to evade normal safety protocols and achieve full management over the contaminated machines whereas remaining undetected. Resultantly, the attackers may entry and extract delicate data, together with person passwords and saved credentials.
Moreover, the susceptible driver carried a legitimate digital signature, which is the explanation why typical EDR options did not detect the assault, classifying it as protected. This allowed the malicious exercise to proceed with out triggering safety alerts. Venak Safety was in a position to replicate the assault and reveal its execution. This highlights a essential limitation of conventional safety measures in opposition to BYOVD assaults.
It is very important observe that essentially the most present model of the driving force doesn’t comprise this vulnerability and Checkpoint has been knowledgeable of the difficulty. Nonetheless, the findings exhibits the significance of driver safety and the necessity for distributors to completely examine their drivers for vulnerabilities.
