Full Report
Threat actors associated with Qilin and Warlock ransomware operations have been observed using the bring your own vulnerable driver (BYOVD) technique to silence security tools running on compromised hosts, according to findings from Cisco Talos and Trend Micro. Qilin attacks analyzed by Talos have been found to deploy a malicious DLL named "msimg32.dll,"
Analysis Summary
# Tool/Technique: Bring Your Own Vulnerable Driver (BYOVD) / EDR Killer
## Overview
Threat actors associated with the **Qilin** and **Warlock** ransomware operations are utilizing the "Bring Your Own Vulnerable Driver" (BYOVD) technique to disable and silence security software. By side-loading malicious DLLs and installing legitimate but vulnerable kernel-mode drivers, attackers gain the high-level system privileges necessary to terminate over 300 different Endpoint Detection and Response (EDR) and antivirus processes, rendering the host defenseless before ransomware encryption.
## Technical Details
- **Type**: Technique (BYOVD) and Malware (EDR Killer/Loader)
- **Platform**: Windows
- **Capabilities**: Kernel-mode execution, security tool termination (300+ vendors), persistence, defense evasion (ETW/Hooking neutralization).
- **First Seen**: Reported April 2026 (variants seen in use since 2025/early 2026).
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- **T1055** - Process Injection
- **T1574.002** - Hijack Execution Flow: DLL Side-Loading
- **T1027** - Obfuscated Files or Information
- **T1562.001** - Impair Defenses: Disable or Modify Tools
- **TA0003 - Persistence**
- **T1543.003** - Create or Modify System Process: Windows Service
- **TA0004 - Privilege Escalation**
- **T1068** - Exploitation for Privilege Escalation
## Functionality
### Core Capabilities
- **DLL Side-Loading**: Uses a malicious wrapper (`msimg32.dll`) to load a multi-stage PE loader.
- **EDR Driver Termination**: Specifically targets and stops drivers associated with over 300 security products.
- **Kernel Access**: Leverages vulnerable signed drivers to bypass Windows Kernel Mode Code Signing (KMCS) and manipulate physical memory.
### Advanced Features
- **Anti-EDR Hooking**: Neutralizes user-mode hooks and suppresses Event Tracing for Windows (ETW) to hide malicious activity.
- **Callback Unregistration**: Prior to terminating security processes, the malware unregisters monitoring callbacks established by security software to prevent interference.
- **In-Memory Execution**: Decrypts and executes the main payload entirely in memory to evade file-based scanners.
## Indicators of Compromise
- **File Names**:
- `msimg32.dll` (Malicious loader)
- `rwdrv.sys` (Renamed `ThrottleStop.sys`)
- `hlpdrv.sys` (Used for process termination)
- `NSecKrnl.sys` (Vulnerable NSec driver used by Warlock)
- `googleApiUtil64.sys` (Legacy driver associated with previous campaigns)
- **Behavioral Indicators**:
- Unexplained termination of security software services.
- Creation of new, suspicious kernel services/drivers.
- Unexpected loading of known vulnerable drivers (e.g., ThrottleStop).
## Associated Threat Actors
- **Qilin** (also known as Agenda)
- **Warlock** (also known as Water Manaul)
- **Akira** (associated via shared driver TTPs)
- **Makop** (associated via shared driver TTPs)
## Detection Methods
- **Signature-based detection**: Monitor for known hashes of vulnerable drivers (e.g., ThrottleStop, NSec).
- **Behavioral detection**: Monitor for unauthorized calls to unregister kernel callbacks or attempts to write to physical memory (`\Device\PhysicalMemory`).
- **YARA rules**: Target the encrypted payload structures within the `msimg32.dll` loader or the PE loader's decryption routine.
## Mitigation Strategies
- **Driver Blocklist**: Enable and regularly update the Microsoft Vulnerable Driver Blocklist or implement an EDR-based blocklist for known vulnerable drivers.
- **Credential Hygiene**: Implement Multi-Factor Authentication (MFA) to prevent the initial access via stolen credentials favored by Qilin.
- **Memory Integrity**: Enable Hypervisor-Protected Code Integrity (HVCI) and Core Isolation to prevent drivers from executing unauthorized code in the kernel.
- **Patch Management**: Frequently patch applications like Microsoft SharePoint to prevent initial exploit-based entry by groups like Warlock.
## Related Tools/Techniques
- **PsExec**: Used for lateral movement following EDR disabling.
- **TightVNC**: Used by Warlock for persistent remote control.
- **RDP Patcher**: Used to enable multiple concurrent unauthorized remote sessions.