SonicWall Capture Labs Research team has observed RunpeX is abusing vulnerable version of kernel driver belonging to Zemana AntiMalware. RunpeX is a protector and malware injector based on KoiVM .NET protector. RunpeX is widely used to deliver different malware families like Remcos, Formbook, AgentTesla, Redline, Vidar, etc. The legitimate driver dropped by RunpeX is used to kill/disable AV/EDR processes which are generally protected. This technique is also known as Bring Your Own Vulnerable Driver (BYOVD). Previously, this technique has been employed by APT groups, AV/EDR killer tools, and ransomware actors.
First-stage loader is .net application, which contains encrypted second stage payload hardcoded in byte array. This byte array is decrypted and executed using Assembly.Load() method.
Figure 1: Byte array contains encrypted second-stage loader and InvokeMethod() function
Figure 2: Function to bypass AMSI
Second-stage loader is .net RunpeX, which is protected with customized KoiVM virtualizer. This payload is responsible for installing Zemana AntiMalware driver.
Figure 3: Decompiled code of second-stage payload
In order to disable security solutions, this second stage payload drops and install Zemana driver. The driver is dropped at the root of “c” drive with name “Zemana.sys” and is signed by “Zemana Ltd.”
Figure 4: Driver is signed by “Zemana Ltd”
To install driver on system, RunpeX elevate privileges using CMSTP UAC bypass technique. Below command is executed to achieve privilege escalation:
- “c:\windows\system32\cmstp.exe /au C:\windows\temp\1brdhu0p.inf”
Figure 5: Privilege escalation and UAC bypass using cmstp.exe
The INF file used in this UAC bypass is similar to the file present on GitHub.
Figure 6: Content of inf file
In the next step, driver service is created with name “Zemana” to load driver.
Figure 7: Service named “Zemana” is created to load driver
Then it retrieves handle to the loaded driver using CreateFileA() function:
Figure 8: Code snippet to retrieve driver handle
Figure 9: IOCTL used to add process in trusted list
Finally, RunpeX sends another IOCTL code 0x80002048 to terminate target process by passing process PID as parameter. Using this IOCTL, it terminates all processes which are present in the configuration list.
Figure 10: IOCTL used to terminate security software processes
Driver IOCTL functionality
Below figure shows IOCTL handler functions that are part of installed driver:
Figure 11: Driver function to handle IOCTLs
Indicators Of Compromise (IOCs):
2d3c9078e40a6dd286b36dbaaf1f0a367d22a0f9e30a2fc93d1d8ba5b9b97ce8 – Initial Payload (.Net Application)
SonicWall Capture Labs provides protection against this threat via the following signature:
- Injector.RPX (Trojan)