BYO-Bug Tactic Attacks Windows Kernel with Outdated Drive

From threatpost.com

robbinhood windows kernel driver

The RobbinHood ransomware is using a deprecated Gigabyte driver as the tip of the spear for taking out antivirus products.

The operators behind the RobbinHood ransomware are using a vulnerable, legacy driver from Taiwan-based motherboard manufacturer Gigabyte in order to get around antivirus protections. The “bring-your-own-bug” tactic is likely to crop up in other attacks going forward, according to security analysts.

According to research from Sophos, the driver has a known vulnerability (CVE-2018-19320), and was discontinued in 2018 by the company. However, the Verisign certificate used to digitally sign the driver has not been revoked, so the signature remains valid.

Read more…