Cybersecurity researchers at Sophos X-Ops have reported that hackers affiliated with the BlackCat ransomware group exploited a legitimate antivirus driver to install malware. The attackers leveraged a technique known as Bring Your Own Vulnerable Driver (BYOVD) to gain high-level system privileges, disable other security products, and deploy their malicious payloads.
The threat actors used a new version of a malware loader named POORTRY to carry out the attack. This loader was specifically designed to exploit a known vulnerability in a legitimate, signed driver file associated with antivirus software.
The ‘Bring Your Own Vulnerable Driver’ Method
The attack centered on the exploitation of CVE-2022-24834, a vulnerability found in the ep_oal.sys driver from security firm Emsisoft. While Emsisoft had patched this vulnerability in 2022, the attackers used an older, signed version of the driver that remained vulnerable. This is a hallmark of a BYOVD attack, where threat actors bring a legitimate but flawed driver to a target system to exploit its weaknesses.
By exploiting the flaw in the Emsisoft driver, the POORTRY malware loader was able to gain kernel-level access to the compromised system. This level of access is among the highest privileges available, giving the attackers deep control over the machine’s operating system.
Disabling Security and Deploying Payloads
Once kernel-level privileges were obtained, the attackers used their access to systematically terminate the processes of various security agent products running on the victim’s device. This action effectively blinded the system’s defenses, clearing the way for the deployment of subsequent malware.
With security tools disabled, the threat actors deployed two primary payloads. The first was the BlackCat/ALPHV ransomware, a well-known strain used to encrypt victim data for extortion. The second was a spyware tool identified as SPYSCRAPER, used for information stealing and surveillance.
Concise Cyber 