Qilin and Warlock Ransomware Exploit Vulnerable Drivers to Evade Security Tools

Threat actors associated with Qilin and Warlock ransomware operations have been observed using the bring your own vulnerable driver (BYOVD) technique to disable over 300 endpoint detection and response (EDR) tools running on compromised hosts.

According to findings from Cisco Talos and Trend Micro, this technique allows the attackers to silence security tools, making it easier to carry out their malicious activities without being detected.

Qilin attacks analyzed by Talos have been found to deploy a malicious DLL named msimg32.dll, which is used to exploit vulnerable drivers and disable EDR tools.

The use of BYOVD technique by Qilin and Warlock ransomware operators highlights the increasing sophistication of threat actors and their ability to evade security measures.

The exploitation of vulnerable drivers to disable security tools is a significant concern, as it can allow attackers to move laterally within a network and carry out their objectives without being detected.

Organizations must ensure that their systems and software are up-to-date, and that they have implemented robust security measures to prevent such attacks.

Source: Original Article

Press ESC to close

Share Article:

Tarang Parmar

Cybersecurity Threats: Hybrid P2P Botnet and Apache RCE Vulnerability

The Evolution of Enterprise Security: Moving Beyond Doctor No