The Qilin ransomware group, active since July 2022, has recently escalated its tactics by exploiting a vulnerable Toshiba laptop driver, TPwSav.sys, to disable endpoint detection and response (EDR) systems. This technique, known as bring-your-own-vulnerable-driver (BYOVD), allows attackers to bypass security measures by introducing legitimate but exploitable drivers into targeted systems.
Qilin Ransomware Overview
Operating under a ransomware-as-a-service (RaaS) model, Qilin offers affiliates substantial profit margins—80% for ransom payments under $3 million and 85% for larger amounts. The ransomware is written in both Golang and Rust, enabling it to target Windows and Linux systems. Employing a double extortion strategy, Qilin not only encrypts victims’ data but also threatens to leak it if ransom demands are not met. Notably, the group avoids attacking organizations within Commonwealth of Independent States (CIS) countries, adhering to common practices among Russian-speaking cybercriminals.
Attack Methodology
In a recent incident analyzed by Blackpoint Cyber, Qilin demonstrated advanced kernel-level manipulation capabilities. The attack sequence began with the deployment of a legitimate signed executable named upd.exe, which is the Carbon Black Cloud Sensor AV update tool. However, instead of loading its legitimate counterpart, the executable sideloaded a malicious dynamic link library (DLL) called avupdate.dll. This DLL contained an exported function named avupdate_get_version, which performed multiple anti-analysis techniques, including virtual machine detection and debugging checks, before loading and executing an encoded file named web.dat. This file, a Windows portable executable, was XOR-encoded with the byte value 0x6a to obfuscate its contents.
Advanced Kernel-Level EDR Bypass Mechanism
Upon decoding, web.dat revealed itself as a heavily customized variant of EDRSandblast, an open-source tool designed to disable EDR products at the kernel level. Rather than using commonly detected vulnerable drivers, the attackers strategically selected TPwSav.sys—a legitimate signed Windows kernel driver originally developed for power-saving features on Toshiba laptops and compiled in 2015. This driver contains two critical IO control codes (IOCTLs) that enable arbitrary memory reading and writing operations, one byte at a time. These IOCTL handlers map physical memory addresses to virtual addresses using the MmMapIoSpace function, allowing the malware to read or modify memory contents before unmapping the address with MmUnmapIoSpace. This capability enables the attackers to bypass read-only memory protections by leveraging physical addresses to map and modify virtual address contents.
Hijacking Beep.sys for Kernel-Level Control
In this attack, the threat actors used these capabilities to overwrite the BeepDeviceControl function in the native Windows driver Beep.sys. The shellcode replacing this function implemented a custom handler that processed an IOCTL of 0x222000, providing the ability to perform arbitrary read and write operations on kernel memory. This manipulation allowed the attackers to disable EDR hooks, remove kernel callback routines, and impair event tracing, effectively rendering the infected system blind to malicious activities.
Implications and Mitigation Strategies
The exploitation of TPwSav.sys by Qilin underscores the evolving sophistication of ransomware operators and their ability to circumvent traditional security measures. Organizations are advised to implement the following mitigation strategies:
– Enforce Strong VPN Security: Require multi-factor authentication (MFA) and geolocation-based restrictions to prevent unauthorized access.
– Monitor VPN and RDP Activity: Detect long-duration VPN sessions, logins from cloud-hosted IPs, and unusual Remote Desktop Protocol (RDP) usage.
– Restrict RDP and Remote Access: Disable RDP where possible; otherwise, restrict by IP allowlists, enforce MFA, and limit administrative privileges.
– Implement Network Segmentation: Prevent lateral movement by isolating critical systems and enforcing least privilege access.
– Use Endpoint Detection and Response (EDR) Policies: Deploy behavior-based anomaly detection to identify suspicious process executions.
– Block Vulnerable Drivers (BYOVD Protection): Enable Windows Defender Application Control (WDAC) and Hypervisor-Protected Code Integrity (HVCI) to block outdated or unsigned drivers.
– Harden Privileged Account Usage: Implement Privileged Access Management (PAM) and just-in-time (JIT) access to limit administrative rights.
– Disable Unnecessary Windows Services and Tools: Block execution of PsExec, WMIC, PowerShell, and other remote administration tools where not needed.
By adopting these measures, organizations can enhance their defenses against sophisticated ransomware attacks like those executed by Qilin.
