If you're using cheat programs when playing games on PC, you could be putting your computer at risk as vulnerabilities in signed drivers are most commonly used by game cheat developers to circumvent anti-cheat mechanisms.
However, they have also been observed being used by several advanced persistent threat (APT) groups according to a new report from ESET. The internet security company recently took a deep dive into the types of vulnerabilities that commonly occur in kernel drivers and it even found several vulnerable drivers in popular gaming software at the same time.
Unsigned drivers or those with vulnerabilities can often become an unguarded gateway to Windows' core for malicious actors. While directly loading a malicious, unsigned driver is no longer possible in Windows 11 and Windows 10 and rootkits are considered to be a thing of the past, there are still ways to load malicious code into the Windows' kernel especially by abusing legitimate, signed drivers.
In fact, there are many drivers from hardware and software vendors that offer functionality to fully access the kernel with minimal effort. During its research, ESET found vulnerabilities in AMD's μProf profile software, the popular benchmarking tool Passmark and the system utility PC Analyser. Thankfully though, the developers of all of the affected programs have since released patches to fix these vulnerabilities after ESET contacted them.
Bring Your Own Vulnerable Driver
A common technique used by cybercriminals and threat actors use to run malicious code in the Windows Kernel is known as Bring Your Own Vulnerable Driver (BYOVD). Senior malware researcher at ESET, Peter Kálnai provided further details on this technique in a press release, saying:
“When malware actors need to run malicious code in the Windows kernel on x64 systems with driver signature enforcement in place, carrying a vulnerable signed kernel driver seems to be a viable option for doing so. This technique is known as Bring Your Own Vulnerable Driver, abbreviated as BYOVD, and has been observed being used in the wild by both high-profile APT actors and in commodity malware.”
Examples of malicious actors using BYOVD include the Slingshot APT group which implemented their main module Cahnadr as a kernel-mode driver that can be loaded by vulnerable signed kernel drivers as well as the InvisiMole APT group which ESET researchers discovered back in 2018. The RobinHood ransomware is yet another example that leverages a vulnerable GIGABYTE motherboard driver to disable driver signature enforcement and install its own malicious driver.
In a lengthy blog post accompanying its press release, ESET explained that virtualization-based security, certificate revocation and driver blocklisting are all useful mitigation techniques for those worried about the dangers posed by signed kernel drivers that have been hijacked by malicious actors.