Keypoints
- UNC2970 used BYOVD to evade EDR by dropping and loading legitimate vulnerable drivers to gain kernel read/write access.
- Mandiant recovered an XORed blob (Share.DAT, MD5 def6f916…) decoded with key 0x59 that revealed the LIGHTSHIFT in-memory dropper (MD5 9176f177…).
- LIGHTSHIFT loads LIGHTSHOW (MD5 ad452d16…), invoking exported functions Create then Close and writing the Close response as a hex address to C:Windowswindows.ini.
- LIGHTSHOW is VMProtect-packed and host-targeted (requires a specific SHA256 tied to the computer name), and drops a vulnerable ENE driver (SHA256 175eed7a…) into C:WindowsSystem32Drivers under randomized names appended with “mgr”.
- LIGHTSHOW creates a service registry key (HKLMSYSTEMCurrentControlSetServices), sets ImagePath, loads the driver via NtLoadDriver, and registers a dummy DLL (%temp%_SB_SMBUS_SDK.dll) as a legitimate caller.
- Using the vulnerable driver, LIGHTSHOW performs arbitrary kernel memory read/write to patch kernel routines used by EDRs, then unloads and deletes the dummy DLL; Mandiant observed use of multiple vulnerable drivers (including Dell DBUtil and ENE) and noted CVE-2022-42455 discovery.
MITRE Techniques
- [T1218] Bring Your Own Vulnerable Driver (BYOVD) – Abuse of legitimate but vulnerable drivers to bypass kernel-level protections and obtain kernel read/write primitives; quote: [‘BYOVD is a technique that utilizes the abuse of legitimate and trusted, but vulnerable drivers, to bypass kernel level protections.’]
Indicators of Compromise
- [MD5] payload and samples – def6f91614cb47888f03658b28a1bda6 (XOR’d LIGHTSHIFT), 9176f177bd88686c6beb29d8bb05f20c (LIGHTSHIFT), and ad452d161782290ad5004b2c9497074f (LIGHTSHOW)
- [SHA256] vulnerable driver – 175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347 (ENE vulnerable driver deployed by LIGHTSHOW)
- [File name] temporary DLL and dropped files – SB_SMBUS_SDK.dll (%temp%_SB_SMBUS_SDK.dll) used as dummy DLL, Share.DAT (C:ProgramDataUSOSharedShare.DAT) as XORed blob
- [File path] artifact written by dropper – C:Windowswindows.ini (LIGHTSHIFT writes a hex-formatted address here)
- [Driver hash] additional observed driver – 7e6e2ed880c7ab115fca68136051f9ce (ENE Driver) and other driver hashes noted in table
During forensic analysis Mandiant recovered an XOR-encoded blob (Share.DAT, MD5 def6f9…) that decoded with key 0x59 to an in-memory dropper dubbed LIGHTSHIFT (MD5 9176f177…). LIGHTSHIFT loads a second-stage payload, LIGHTSHOW (MD5 ad452d16…), by invoking exported functions Create then Close and writing the Close response as a hex address to C:Windowswindows.ini as part of its in-memory activation sequence.
LIGHTSHOW is VMProtect-packed and host-locked (requires a specific SHA256 tied to the machine name). It drops a legitimate but vulnerable kernel driver (ENE driver SHA256 175eed7a…) into C:WindowsSystem32Drivers under randomized names suffixed with “mgr”, creates a service key under HKLMSYSTEMCurrentControlSetServices, sets ImagePath, and loads the driver via NtLoadDriver. A temporary dummy DLL (%temp%_SB_SMBUS_SDK.dll) is registered with the driver to appear as a legitimate caller.
With the vulnerable driver loaded, LIGHTSHOW obtains arbitrary kernel read/write primitives and patches kernel routines associated with EDR functionality to evade detection; after performing modifications it unloads and deletes the temporary DLL. Mandiant observed UNC2970 using a small set of vulnerable drivers (including Dell DBUtil and ENE), noted overlap with other BYOVD activity, and reported a discovered vulnerable driver as CVE-2022-42455.
Read more: https://www.mandiant.com/resources/blog/lightshift-and-lightshow