ADVERTISEMENT

‘Bring your own vulnerable driver’ attack technique is becoming popular among threat actors

Cybercriminal groups and nation-state actors are devising new attack techniques to compromise systems worldwide and bypass security solutions.

Lazarus hacker group

Image from Shutterstock

Pierluigi Paganini
Pierluigi Paganini Contributor
Jan 18, 2023 Updated: 19 January 2023 5 min read

BlackByte ransomware gang uses the BYOVD technique

Analysis on Kernel Notify Routines
ADVERTISEMENT

Lazarus APT Group uses the BYOVD technique to deploy a rootkit

Bring your own vulnerable driver (BYOVD) attacks

August 2022Threat actors abused a vulnerable anti-cheat driver, named mhyprot2.sys, for the Genshin Impact video game to disable antivirus software. According to Trend Micro, a cybercrime gang abused the driver to deploy ransomware. The driver provides anti-cheat functions, but threat actors have found a way to use it to escalate privileges and kill the processes and services associated with endpoint protection applications.
May 2022AvosLocker Ransomware variant disabled a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys).
June 2022Candiru surveillance spyware DevilsTongue attempts to elevate its privileges by exploiting another zero-day exploit. The malicious software targets a legitimately signed kernel driver in a BYOVD (Bring Your Own Vulnerable Driver) fashion.
June 2020Elusive InvisiMole group used the Speedfan exploit chain to trigger a local privilege escalation vulnerability in the speedfan.sys driver to inject its code to a trusted process from kernel mode.

Preventing bring your own vulnerable driver (BYOVD) attacks

  • Threat actors usually exploit well-known vulnerabilities in the used driver, for this reason, by keeping track of the latest security issues, it is possible blocklist drivers known to be exploitable.
  • Always keep track of the drivers installed on your systems and keep them up to date.
ADVERTISEMENT