Gigabyte Driver Used to Disable Antivirus Software in RobbinHood Ransomware Scheme

By Lucian Armasu
published

Stealing from...whoever's vulnerable.

(Image credit: Shutterstock)

According to research by Sophos, a leading software security firm, a ransomware called "RobbinHood" has been making use of legitimate, but vulnerable, Gigabyte drivers to infect computer systems and take them over. 

The attack works on Windows 7 and newer operating systems (OSes). Gigabyte had previously dismissed the claims that its driver was vulnerable to the flaw that the ransomware group is now exploiting, according to Sophos.

Gigabyte shares part of the blame for initially dismissing the vulnerability in 2018, when security researchers first reported it to the company. The public eventually put enough pressure on Gigabyte that it acknowledged the flaw. 

However, instead of releasing a patch to fix the vulnerability for its older motherboards, the company discontinued support for that driver. This poor judgement on Gigatebyte’s part has now allowed attackers to weaponize its unpatched driver. 

Another party responsible, Sophos said, is Verisign. Two years after Gigabyte discontinued its driver, it's still “trusted” by the Windows OS and many antivirus programs by default due to Verisign  failing to revoke its signing certificate. This has allowed attackers to take advantage of the trusted driver to install another unsigned driver on the victims' machines. 

After, the attackers would use this new driver first patch the Windows kernel in-memory and kill antivirus programs and other endpoint security solutions that would prevent the ransomware from taking over the machine.

One-of-a-Kind Ransomware

Sophos researchers said that even though they’ve seen other ransomware try to kill antivirus programs before, they’ve never seen one where the ransomware uses a trusted third-party driver to achieve that. 

Most security solutions have some kind of “trusted programs” list enabled by default on all installations. This is a compromise security companies have made in order to end a large amount of false positives and avoid having too many users block programs because they didn’t understand what the antivirus was asking them to do.

However, chances are that as other avenues to exploit the Windows OS close, malware makers will start to explore additional ways to use that trusted programs list in their favor. If they can trick antivirus programs to believe that their malware is one of the trusted programs in that list, then they later can get almost free reign on a user’s machine.Mitigation Against This Attack

Mitigation

As the RobbinHood ransomware has shown us, even if your OS is fully patched, a hacker can still leverage other techniques to bring vulnerabilities to your computer. 

Sophos recommends not relying on a single program to keep you safe, while also adopting other security best practice,  such as using OS accounts with limited access rights by default, making regular backups, using multi-factor authentication. 

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
9 Comments Comment from the forums
  • Coolmeadow Kid
    Which Gigabyte/Aorus boards or drivers are vulnerable? That's something I would have liked to see in the original story. Maybe a link to a list. I'm not very tech savvy, so would like to know what needs to be updated to secure my systems.
    Reply
  • Chung Leong
    Coolmeadow Kid said:
    Which Gigabyte/Aorus boards or drivers are vulnerable? That's something I would have liked to see in the original story. Maybe a link to a list. I'm not very tech savvy, so would like to know what needs to be updated to secure my systems.

    All Windows PC are vulnerable to this. There's nothing you can do to secure your system, other than not running the executable.
    Reply
  • Coolmeadow Kid
    Chung Leong said:
    All Windows PC are vulnerable to this. There's nothing you can do to secure your system, other than not running the executable.

    Thank you for the reply. But one thing doesn't make sense, that is if all the information in the article is correct. It states that Gigabyte stopped supporting that driver instead of patching it. So did they keep using it without blocking a hacker? The way it's written, my first thought is they came out with a new driver. If Gigabyte is still using the flawed driver, quit supporting it, and didn't issue a patch, then in my eyes, they are complicit with the hackers.
    Reply
  • ko888
    Coolmeadow Kid said:
    Which Gigabyte/Aorus boards or drivers are vulnerable? That's something I would have liked to see in the original story. Maybe a link to a list. I'm not very tech savvy, so would like to know what needs to be updated to secure my systems.
    BleepingComputer lists these four apps as having the vulnerability:

    GIGABYTE App Center (v1.05.21 and below)
    AORUS Graphics Engine (v1.33 and below)
    XTREME Engine utility (v1.25 and earlier)
    OC Guru II (v2.08)
    Reply
  • razor512
    Was just about to post that, just found it crazy how the article lacked that info. The source article linked to the CVE that detailed the issue, but subsequent articles skipped it.
    This gives the false impression that there is nothing you can do when in reality, it is a few applications that no one uses.
    Reply
  • Chung Leong
    Coolmeadow Kid said:
    If Gigabyte is still using the flawed driver, quit supporting it, and didn't issue a patch, then in my eyes, they are complicit with the hackers.

    The vulnerability can't be eliminated by a patch. The crooks will just continue to bundle the vulnerable version of the driver. To stop the OS from trusting the driver, the key used to sign it has to be revoked. But that would render other drivers signed with the same key unusable as well.
    Reply
  • Chung Leong
    razor512 said:
    This gives the false impression that there is nothing you can do when in reality, it is a few applications that no one uses.

    You're missing the point. In a ransomeware scenario, the victim is tricked into downloading and running the malware. The vulnerable driver doesn't need to be present prior to the attack. The malware itself can install it. Windows will ask for permission but the mildly worded warning won't defer people.
    Reply
  • Coolmeadow Kid
    ko888 said:
    BleepingComputer lists these four apps as having the vulnerability:

    GIGABYTE App Center (v1.05.21 and below)
    AORUS Graphics Engine (v1.33 and below)
    XTREME Engine utility (v1.25 and earlier)
    OC Guru II (v2.08)
    Thanks! That's what I was looking for. I think.:unsure:
    Reply
  • littleleo
    Chung Leong said:
    All Windows PC are vulnerable to this. There's nothing you can do to secure your system, other than not running the executable.
    We can stop buying Gigabytet motherboards until they change their thinking. Loss of sales usually will get their attention.
    Reply