Researchers analyzed a Go-based BlackByte variant and uncovered an advanced technique to bypass security products by abusing a legitimate but vulnerable driver (RTCore64.sys) to disable protection. The technique, a “Bring Your Own [Vulnerable] Driver” approach, enables kernel-level manipulation to remove security callbacks and logs, facilitating ransomware execution. #BlackByte #RTCore64 #CVE2019-16098 #EDRBypass #EDRSandblast #GenshinImpact #mhyprot2 #Avast
Keypoints
- BlackByte’s Go variant uses a BYOVD-style technique by abusing RTCore64.sys to bypass security products and disable protections.
- RTCore64.sys contains a CVE-2019-16098 vulnerability that allows reading/writing arbitrary kernel memory, enabling privilege escalation and code execution under high privileges.
- The attackers leverage Kernel Notify Routines to remove security callbacks registered by drivers, undermining EDR/EDR-like protections.
- ETW threat-logging (Microsoft-Windows-Threat-Intelligence) can be disabled, rendering common malicious API calls harder to detect.
- Phase 1 identifies ntoskrnl.exe version IDs, decrypts kernel offsets, and installs a hardcoded RTCore64.sys-based service to load the driver.
- Phase 2 removes kernel callbacks (process, thread, and image load notifications) by targeting PspCreateProcessNotifyRoutine and related structures, using DeviceIoControl to overwrite memory.
- There are notable similarities to EDRSandblast, suggesting code reuse and driver-exploit approaches, underscoring the need to track exploitable drivers and keep systems updated.
MITRE Techniques
- [T1068] Exploitation for Privilege Escalation – Abuses RTCore64.sys vulnerability CVE-2019-16098 to read and write to arbitrary memory. “CVE-2019-16098 allows an authenticated user to read and write to arbitrary memory, which could be exploited for privilege escalation, code execution under high privileges, or information disclosure.”
- [T1543.003] Windows Service – A service is created via CreateServiceW and finally started. “A service is created via CreateServiceW and finally started.”
- [T1562.001] Impair Defenses – Removes kernel callbacks and disables security logging to bypass protections. “remove the callbacks from kernel memory” and “deactivate the Microsoft-Windows-Threat-Intelligence provider”
- [T1082] System Information Discovery – Determines kernel version to select offsets. “First, it will extract the version information of ntoskrnl.exe via GetFileVersionInfoW.”
Indicators of Compromise
- [Hash] 9103194d32a15ea9e8ede1c81960a5ba5d21213de55df52a6dac409f2e58bcfe – Sample sha256 hash linked to the BlackByte Go variant
- [File] RTCore64.sys – Dropped into AppDataRoaming as part of the driver abuse (payload)
- [CVE] CVE-2019-16098 – Privilege-escalation vulnerability exploited through RTCore64.sys
Read more: https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/