Researchers have discovered that non-privileged attackers are exploiting as many as 34 distinct Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers with vulnerabilities, enabling them to achieve complete control over the associated devices and execute any desired code on the underlying systems.
[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing
Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, stated, “By taking advantage of the drivers, an attacker without privilege can erase or change firmware and/or elevate [operating system] privileges.”
This study builds upon earlier research projects such as ScrewedDrivers and POPKORN, which employed symbolic execution to identify vulnerable drivers automatically. The focus here primarily centers on drivers that grant firmware access via memory-mapped I/O and port I/O.
Some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys.
GootBot is reported to be an obfuscated PowerShell script designed with the purpose of establishing connections with compromised WordPress websites, effectively seizing control of them and awaiting further instructions.
Adding to the complexity, each deployed GootBot sample features a distinct hard-coded Command and Control (C2) server. This variation in C2 servers poses a significant challenge in mitigating malicious traffic, as it hinders the ability to predict and prevent these connections.
“Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file,” said the researchers.
Within the archive file, a concealed JavaScript file lies in wait. When executed, this file proceeds to retrieve another JavaScript file, which is summoned by a scheduled job, ensuring its persistence.
In the second stage, the JavaScript is meticulously programmed to initiate a PowerShell script, which is responsible for gathering system information and transmitting it to a remote server. In response, the remote server dispatches its own PowerShell script, which operates indefinitely, granting threat actors the ability to send a variety of payloads as needed.
Among the tasks assigned to GootBot, it is programmed to connect with its Command and Control (C2) server at 60-second intervals, receiving PowerShell tasks to execute and subsequently transmitting the results of these operations back to the server via HTTP POST requests.
GootBot exhibits versatile capabilities, including espionage within its operational environment and lateral movement, enabling the attack to scale across a broader scope.
“The discovery of the Gootbot variant highlights the lengths to which attackers will go to evade detection and operate in stealth,” they said.
“This shift in TTPs and tooling heightens the risk of successful post-exploitation stages, such as GootLoader-linked ransomware affiliate activity.”
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.