Windows users are once again susceptible to malware attacks.
The driver vulnerability has now escalated
As we already reported, earlier this month Eclypsium, a cybersecurity firm, revealed that most of the hardware manufacturers have a flaw that allows malware to gain kernel privileges at the user level.
This means that it can gain direct access to firmware and hardware.
Now, the Complete Control attack that threatened BIOS vendors like Intel and NVIDIA affects all newer versions of Windows including 7, 8, 8.1, and Windows 10.
At the moment of the discovery, Microsoft stated that the threat is not a real danger for its OS and Windows Defender can stop any attack based on the flaw.
But the tech giant forgot to mention that only the latest Windows patches offer protection. So, Windows users who aren’t up to date are susceptible to attacks.
To combat that, Microsoft wants to blacklist any drivers that present the vulnerability through HVCI (Hypervisor-enforced Code Integrity), but this won’t solve the problem for everyone.
HVCI is only supported on devices running 7th Gen Intel CPUs or newer. Again, users who have older drivers have to uninstall the affected drivers manually or they are susceptible to the fault.
Hackers use NanoCore RAT to get acces to your system
Now, attackers have found ways to exploit the vulnerability and an updated version of Remote Access Trojan (RAT) called NanoCore RAT is lurking around.
Fortunately, security researchers at LMNTRX Labs have already dealt with it and shared how you can detect the RAT:
- T1064 – Scripting: Scripting is commonly used by system administrators to perform routine tasks. Any anomalous execution of legitimate scripting programs, such as PowerShell or Wscript, can signal suspicious behaviour. Checking office files for macro code can also help identify scripting used by attackers. Office processes, such as winword.exe spawning instances of cmd.exe, or script applications like wscript.exe and powershell.exe, may indicate malicious activity.
- T1060 – Registry Run Keys / Startup Folder: Monitoring Registry for changes to run keys that do not correlate with known software or patch cycles, and monitoring the start folder for additions or changes, can help detect malware. Suspicious programs executing at start-up may show up as outlier processes that have not been seen before when compared against historical data. Solutions like LMNTRIX Respond, which monitors these important locations and raises alerts for any suspicious change or addition, can help detect these behaviours.
- T1193 – Spearphishing Attachment: Network Intrusion Detection systems, such as LMNTRIX Detect, can be used to detect spearphishing with malicious attachments in transit. In LMNTRIX Detect’s case, in-built detonation chambers can detect malicious attachments based on behaviour, rather than signatures. This is critical as signature-based detection often fails to protect against attackers that frequently change and update their payloads.
Be sure to stay safe by updating all your drivers and your Windows to the latest available.
If you don’t know how to do that, we’ve prepared a guide that will help you update any outdated drivers.