Credential theft alert! Venak Security discovers a BYOVD attack using .SYS drivers to bypass Windows security. Learn how this attack steals user data and gains control.
A recent investigation by Venak Security uncovered an attack scenario that leverages a vulnerability within a kernel-level driver associated with Checkpoint’s ZoneAlarm antivirus software. The vulnerable driver, vsdatant.sys, version 14.1.32.0, with an MD5 hash of 190fe0ce4d43ad8eed97aaa68827e2c6, was the core component of the exploit.
This driver was originally released in 2016 and became a point of entry for malicious actors employing a technique known as “Bring Your Own Vulnerable Driver” (BYOVD). This method allowed the attackers to gain elevated privileges within the compromised systems, effectively bypassing crucial Windows security features, including Memory Integrity- a Windows security feature that uses virtualization to safeguard the system’s memory from malicious code and drivers.
Researchers noted that BYOVD has become a favoured tool among cybercriminal groups seeking to disable Endpoint Detection and Response (EDR) products. For your information, the BYOVD approach involves introducing vulnerable drivers onto targeted systems and exploiting them to execute malicious code at the kernel level. A key aspect of this technique is the abuse of digitally signed drivers. Because these drivers carry valid signatures, they appear legitimate to security software, effectively bypassing detection.
As per Venak Security’s research, the attack starts with a malicious email containing a Dropper, which downloads and executes a script that installs the vulnerable driver (.SYS file) and registers it as a service.
The driver interrupts Core Isolation and removes process protection. The attacker then extracts user credentials, sends them to a Command and Control Server, and uses Remote Desktop to gain persistent control of the compromised machine. This image demonstrates how this attack was implemented:
Researchers noted that while Memory Integrity isolates protected processes within a virtualized environment, making it difficult for attackers to inject malicious code, the vulnerable vsdatant.sys driver allowed the attackers to bypass these protections, rendering the feature ineffective.
Since vsdatant.sys features high-level kernel privileges, the vulnerability allowed the attackers to evade standard security protocols and gain complete control over the infected machines while remaining undetected. Resultantly, the attackers could access and extract sensitive information, including user passwords and stored credentials.
Furthermore, the vulnerable driver carried a valid digital signature, which is the reason why typical EDR solutions failed to detect the attack, classifying it as safe. This allowed the malicious activity to proceed without triggering security alerts. Venak Security was able to replicate the attack and demonstrate its execution. This highlights a critical limitation of traditional security measures against BYOVD attacks.
Check Point reached out to Hackread.com with a statement emphasising that the vulnerable driver mentioned by Venak Security is outdated and not present in current versions of their products, and users with updated ZoneAlarm or Harmony Endpoint are safe.
“The vulnerable driver referenced by Venak Security (vsdatant.sys, version 14.1.32.0) is outdated and no longer in use in current versions of our products. Users running the latest versions of ZoneAlarm or Harmony Endpoint are not affected, as these include updated drivers that address this issue. After a thorough review, we can confirm that versions released in the past 8 years are not vulnerable to this issue. For full protection, we recommend users ensure they are running the most recent version of Check Point ZoneAlarm or Check Point Harmony Endpoint, which includes enhanced safeguards against BYOVD-style attacks.”
Check Point’s Spokesperson
It is important to note that the most current version of the driver does not contain this vulnerability and Checkpoint has been informed of the issue. Still, the findings show the importance of driver security and the need for vendors to inspect their drivers for vulnerabilities thoroughly.
