Kworld Trend / Robinhood ransomware targets gigabyte motherboards
Hackers exploited a vulnerability in the Gigabyte motherboard driver to eliminate security processes such as antivirus.
Where did RobbinHood come from?
RobbinHood is not part of the ransomware family, nor is it the product of a known hacker gang. Cybersecurity analysts know nothing about the group that created RobbinHood or where they reside. However, there is evidence in the ransom note created for RobbinHood. And the second paragraph ends with the words: “Don’t waste your time and hurry! Tic-tac-tac-tac-tac!”
Watches say different things in different languages - in English, we hear watches say ” Tick tock “. In Japanese, the watches say “ Kachi kachi ,” Chinese, “ Dida dida ,” and in Korean, the watches say “ Ttok tak .” The watches say ” Tik tak ” in Dutch and Russian. Since most of the world’s ransomware is produced in Russia, RobbinHood is more likely to be Russian than Dutch.
Another indication that this is the work of the Russians is that the code for one of the modules, Steel.exe, points to a user directory named Mikhail .
How does RobbinHood ransomware get into PC?
RobbinHood ransomware uses several different ways to get into a computer. The primary way ransomware appears is attached to a phishing email . This will tempt the user to download and run the attachment. Another way is through infected websites . This malware adds a pop-up to the site informing the user that the browser is out of date. Clicking OK in the popup leads to the download, which when run installs the first part of the RobbinHood attack instead of the promised browser update. Another method of distribution is through file sharing systems . The installer disguises itself as a spam video to trick people into downloading and opening it.
The first part of the installer is legitimate software with a security flaw. This is the Gigabyte motherboard driver . The driver is what is known as the kernel . Interprets operating system commands into actions on the hardware components of the computer. Unfortunately, this driver contains a bug, and has been deprecated by Gigabyte. However, computers do not know that the file is no longer valid because it contains all the necessary security clearances.
Once this driver is on the computer, it makes an entry point available to the hacker through the known bug. The driver allows loading other system files and replacing existing ones. This is governed by the Windows file management system and allows hackers to remove locks on files. It also enables batch files for hackers to kill processes.
What happens in the RobbinHood ransomware attack?
The batch files that the installer loads kill many running processes, including antivirus systems . Without AV running, malware can run undetected. It also kills any editor that might have a file open. This may include Word and Excel. Any file opened for editing cannot be overwritten with an encrypted version.
Surprisingly, the malware disconnects any connected drives. This appears to be a missed opportunity to spread to other computers. However, the encryption process workflow seems to need to be handled one computer at a time . The ransomware package replication service is expected to spread the encryption executable to other computers across the network. Therefore, each endpoint will be encrypted separately.
The ransomware has been very successful in having the entire corporate system it infects. It does not perform encryption immediately but waits until many computers have been infected. Analysts do not know how the ransomware controller knows when enough endpoints have been reached. It may use a standard network monitoring tool to generate a list of all endpoints connected to the same network as the initial target .
RobbinHood ransomware appears to be transmitted to other computers on a network using Remote Desktop Protocol (RDP). Some sites do not require a password for this port protocol as a utility in Windows. Another security failure for this system is the use of an easy-to-guess password, such as password or 123456789 .
Robinhood Ransomware targets Gigabyte motherboards
Known for causing panic in 2019, in particular, in computer systems in the cities of Baltimore (Maryland) and Greenville (North Carolina) in the United States, RobinHood ransomware unfortunately returns to the front of the stage. In a post, security researchers from Sophos have detailed a very particular attack technique that exposes many systems to this malware. The latter is based on a vulnerability discovered in December 2018 (CVE-2018-19320) in a driver for Gigabyte motherboards. Sophos researchers said the Taiwanese vendor is aware of this and has “stopped using the vulnerable driver, but it’s still there and appears to still be a threat.” Verisign, whose code signing mechanism was used to digitally authenticate the driver, has not revoked the signing certificate, so the authentication code remains valid. »
Gigabyte is not the only manufacturer that gets hacked, other different system drivers are also exposed to this hacking technique without any vulnerability identified yet, which are VirtualBox (CVE-2008-33431), Novell (CVE-2013-3956) and CPU-Z ( CVE-2017-15302) and ASUS (CVE-2018-18537).
“Ready to bribe” package
Attack scenario for attackers to exploit these vulnerabilities and stop all endpoint-related processes and tasks and device protection security products in order to allow RobbinHood ransomware to run. “This is the first time we have observed delivery via a signed but vulnerable ransomware capable of loading unsigned malware into the Windows kernel and removing security applications from kernel space. ”, the researchers note. Hackers use several types of files to carry out this attack, which are extracted to the C: WINDOWSTEMP directory. Including the STEEL.EXE application that kills security product processes and files using Windows kernel drivers, ROBNR.EXE to deploy an unsigned driver, GDRV.SYS, an authentication code-signed driver with an expired expiration date but containing a security vulnerability, and RBNL .
To prevent this type of attack, Sophos researchers offer several recommendations, such as avoiding focusing cybersecurity on a single technology and including the public cloud in its strategy, using multi-factor authentication, complex passwords, limiting access rights only as needed, and creating and keeping backups in Offline mode, lock your RDP protocol by not activating it unnecessarily, and keep Windows tamper protection functionality, without forgetting the old but nonetheless conscious users.
Hackers using the famous Robinhood malware decided to exploit vulnerabilities in the Gigabytes motherboard driver.
It is noteworthy that by the end of 2019, the US city of Baltimore was controlled by ransomware malware. This program is called Robinhood. But his fame isn’t just about attacking the city of Baltimore, Maryland. The city of Greenville, North Carolina was also a victim of the same malware. Computer security experts from the cybersecurity company Sophos, after studying this malware, described some of its characteristics. Users mainly rely on a vulnerability (CVE-2018-19320) discovered in 2018.
The vulnerability in question is now in Gigabytes motherboards. The supplier of this technology then stopped the production of the vulnerable driver. However, “it still exists and apparently remains a threat,” Sophos experts said: “Verisign, whose code-signing mechanism was used to digitally authenticate the pilot, has not revoked the signature certificate, so Authenticode’s certificate remains valid. ».
In addition, Taiwanese supplier Gigabyte is not the only manufacturer whose productions are exposed to the security breach. Indeed this has been detected on several other drivers not coming from the latter. And this through several strategies used by hackers. Other manufacturers of VirtualBox for the CVE-2008-3431 vulnerability. ASUS for CVE-2018-18537, ASUS for CVE-2018-18537 and CPU-Z for CVE-2017-15302.
the setting up the Robinhood program will consist for hackers to use the vulnerability discovered in motherboards to block the normal functioning of systems by blocking processes and tasks.
That would then be linked to “protective security products” endpoint terminals and devices to allow ransomware RobbinHood to be operational. The researchers explain: “This is the first time we observe the shipment through a signed driver but vulnerable to a ransomware capable of charging a driver in the Windows core unsigned malicious and remove space security applications core (…) Hackers use multiple types of files to make this attack, extracted from the C directory: WINDOWS-TEMP. Whose application Steel. EXE that kills the processes and files of security products using Windows core drivers, ROBNR. EXE to deploy an unsigned driver, Mr. GDRV. SYS, a driver signed Authenticode on the date of validity exceeded but containing a vulnerability, and RBNL. SYS, the malicious driver who kills process and erases the files in core memory. ».
