Exploiting Vulnerable Drivers: Qilin and Warlock Ransomware’s Takedown of 300+ EDR Tools

Qilin and Warlock Ransomware Operations Utilize BYOVD Technique to Evade Security Tools

Recent reports from Cisco Talos and Trend Micro have uncovered a new tactic employed by threat actors linked to Qilin and Warlock ransomware operations. These actors are using the bring your own vulnerable driver (BYOVD) technique to evade security tools on compromised systems.

Analysis of Qilin attacks by Talos has revealed the deployment of a malicious DLL called “msimg32.dll” to disable endpoint detection and response (EDR) solutions. This DLL, loaded through DLL side-loading, can effectively disable over 300 EDR drivers from various security vendors.

The initial stage involves a PE loader that prepares the environment for the EDR killer component, which is encrypted within the loader. The DLL loader employs multiple techniques to avoid detection, allowing the EDR killer payload to execute in memory undetected.

Upon execution, the malware leverages two drivers – rwdrv.sys and hlpdrv.sys – to gain access to the system’s physical memory and terminate processes associated with numerous EDR drivers.

Statistics from CYFIRMA and Cynet indicate that Qilin has emerged as a prominent ransomware group, responsible for a significant number of attacks. The group’s use of stolen credentials for initial access underscores the importance of early threat detection and prevention.

According to Talos, ransomware execution typically occurs around six days after the initial compromise, highlighting the need for organizations to detect malicious activity early on.

The Warlock ransomware group continues to target unpatched Microsoft SharePoint servers, enhancing its toolset for persistence and defense evasion. The group’s use of vulnerable drivers in BYOVD attacks underscores the need for robust kernel-level security measures.

During a recent Warlock attack, tools such as PsExec, RDP Patcher, Velociraptor, and Rclone were observed, highlighting the group’s sophisticated tactics.

To combat BYOVD threats, organizations are advised to only allow signed drivers from trusted publishers, monitor driver installations, and maintain up-to-date security software.

Both Qilin and Warlock ransomware groups pose significant threats, emphasizing the importance of proactive cybersecurity measures to mitigate risks and protect sensitive data.