When we think about cyber attacks our minds go to ransomware, capable of holding data hostage or malware used to exfiltrate data and this makes sense in many scenarios. But what if an entirely legitimate kernel driver with a valid digital signature, embedded deep into the system is abused to launch an attack? This is exactly what happened with RobbinHood a living-off-the-land attack, which lowers considerably the detection profile of an attacker. RobbinHood was discussed by ReaQta CEO Alberto Pelliccione in his recent LinkedIn post – he pointed out that, in the hands of a sophisticated threat actor this is a very useful weapon: legit and ready to be used.

He explains: “Normally ransomware such as Ryuk or Sodinokibi are plain applications doing some dirty work, RobbinHood instead does its deed from a driver, deep into the system. To use such a driver one needs a specific Digital Certificate with a high level of verification, which normally criminals don’t try to obtain, because they can reuse an existing driver. Bugs are everywhere and drivers are no exception, a bugged driver can allow a malicious party to run code at the highest possible level on an endpoint. This is what RobbinHood does: it uses a bug, in a legitimate driver, to load a malicious (unsigned) driver and wreak havoc. To make matters worse: there are a LOT of legitimate bugged drivers that can be used for this purpose! RobbinHood uses one to avoid anti-ransomware solutions, and it works quite well, normally ransomware analysis is not done on kernel operations (mostly for performance reasons). A good practice is, when possible, to block all known bugged drivers, as many are widely reported and still valid. As usual below how RobbinHood behaviour looks like, hopefully the only place where you’ll see it active.”

[ReaQta-Hive platform detects and blocks new and unknown threats, from ransomware to sophisticated file-less and in-memory attacks.  Download the brochure to understand how ]

RobbinHood Analysis

Team ReaQta ran an analysis to find out how common such vulnerable drivers are within the enterprise. Below ReaQta-Hive shows a support utility from HP that comes by default with certain laptops. The application installs a driver called “activehealth.sys”, ReaQta cloud analysis reports it as safe (because it is) but this driver, signed with a high level certificate, is actually vulnerable and it can be abused to run code with high privileges on a machine. From the point of view of an attacker this is an advantage: there is no need to carry the driver – unlike what RobbinHood does – as it’s already there, and companies cannot just revoke their certificates as the impact on the user base can be severe. Thus an attacker finds itself with a convenient way to run dangerous code, just by reusing what already exists on a computer, this living-off-the-land technique works extremely well for the attacker as it lowers their detection profile- a powerful tool in the hands of a sophisticated threat actor. We can expect to find interesting cases in the near future with more than “just” a ransomware.

[Find out if ReQta-Hive platform can help your  organisation detect and block sophisticated threats – from fileless to in-memory. Get a free demo today.]