If you're using cheat programs (opens in new tab) when playing games on PC (opens in new tab), you could be putting your computer at risk as vulnerabilities in signed drivers are most commonly used by game cheat developers to circumvent anti-cheat mechanisms.
However, they have also been observed being used by several advanced persistent threat (APT) groups according to a new report from ESET (opens in new tab). The internet security company recently took a deep dive into the types of vulnerabilities that commonly occur in kernel drivers and it even found several vulnerable drivers in popular gaming software (opens in new tab) at the same time.
Unsigned drivers or those with vulnerabilities can often become an unguarded gateway to Windows' core for malicious actors. While directly loading a malicious, unsigned driver is no longer possible in Windows 11 (opens in new tab) and Windows 10 (opens in new tab) and rootkits are considered to be a thing of the past, there are still ways to load malicious code into the Windows' kernel especially by abusing legitimate, signed drivers.
In fact, there are many drivers from hardware and software vendors that offer functionality to fully access the kernel with minimal effort. During its research, ESET found vulnerabilities in AMD's μProf (opens in new tab) profile software, the popular benchmarking tool Passmark (opens in new tab) and the system utility PC Analyser. Thankfully though, the developers of all of the affected programs have since released patches to fix these vulnerabilities after ESET contacted them.
Bring Your Own Vulnerable Driver
A common technique used by cybercriminals and threat actors use to run malicious code in the Windows Kernel is known as Bring Your Own Vulnerable Driver (BYOVD). Senior malware (opens in new tab) researcher at ESET, Peter Kálnai provided further details on this technique in a press release (opens in new tab), saying:
“When malware actors need to run malicious code in the Windows kernel on x64 systems with driver signature enforcement in place, carrying a vulnerable signed kernel driver seems to be a viable option for doing so. This technique is known as Bring Your Own Vulnerable Driver, abbreviated as BYOVD, and has been observed being used in the wild by both high-profile APT actors and in commodity malware.”
Examples of malicious actors using BYOVD include the Slingshot APT group which implemented their main module Cahnadr as a kernel-mode driver that can be loaded by vulnerable signed kernel drivers as well as the InvisiMole APT group which ESET researchers discovered back in 2018. The RobinHood ransomware (opens in new tab) is yet another example that leverages a vulnerable GIGABYTE motherboard driver to disable driver signature enforcement and install its own malicious driver.
In a lengthy blog post (opens in new tab) accompanying its press release, ESET explained that virtualization-based security, certificate revocation and driver blocklisting are all useful mitigation techniques for those worried about the dangers posed by signed kernel drivers that have been hijacked by malicious actors.