RunpeX Abuses Legitimate AntiMalware Driver

SonicWall Capture Labs Research team has observed RunpeX is abusing vulnerable version of kernel driver belonging to Zemana AntiMalware. RunpeX is a protector and malware injector based on KoiVM .NET protector. RunpeX is widely used to deliver different malware families like Remcos, Formbook, AgentTesla, Redline, Vidar, etc. The legitimate driver dropped by RunpeX is used to kill/disable AV/EDR processes which are generally protected. This technique is also known as Bring Your Own Vulnerable Driver (BYOVD). Previously, this technique has been employed by APT groups, AV/EDR killer tools, and ransomware actors.

Layer 1:

First-stage loader is .net application, which contains encrypted second stage payload hardcoded in byte array. This byte array is decrypted and executed using Assembly.Load() method.

Figure 1: Byte array contains encrypted second-stage loader and InvokeMethod() function 

Before executing second stage payload, function named “Do()” is called to bypass AMSI detection by patching AmsiScanBuffer() function.   

Figure 2: Function to bypass AMSI  

Layer 2:

Second-stage loader is .net RunpeX, which is protected with customized KoiVM virtualizer. This payload is responsible for installing Zemana AntiMalware driver.

Figure 3: Decompiled code of second-stage payload

In order to disable security solutions, this second stage payload drops and install Zemana driver. The driver is dropped at the root of “c” drive with name “Zemana.sys” and is signed by “Zemana Ltd.”

Figure 4: Driver is signed by “Zemana Ltd”

To install driver on system, RunpeX elevate privileges using CMSTP UAC bypass technique. Below command is executed to achieve privilege escalation:

• “c:\windows\system32\cmstp.exe /au C:\windows\temp\1brdhu0p.inf”

Figure 5: Privilege escalation and UAC bypass using cmstp.exe

The INF file used in this UAC bypass is similar to the file present on GitHub.

Figure 6: Content of inf file

In the next step, driver service is created with name “Zemana” to load driver.

Figure 7: Service named “Zemana” is created to load driver

Then it retrieves handle to the loaded driver using CreateFileA() function:

Figure 8: Code snippet to retrieve driver handle

Using the handle created in the above step, RunpeX sends IOCTL code 0x80002010 to register itself as a trusted process by the driver.

Figure 9: IOCTL used to add process in trusted list

Finally, RunpeX sends another IOCTL code 0x80002048 to terminate target process by passing process PID as parameter. Using this IOCTL, it terminates all processes which are present in the configuration list.

Figure 10: IOCTL used to terminate security software processes

Driver IOCTL functionality

Below figure shows IOCTL handler functions that are part of installed driver:

Figure 11: Driver function to handle IOCTLs

Indicators Of Compromise (IOCs):

• 2d3c9078e40a6dd286b36dbaaf1f0a367d22a0f9e30a2fc93d1d8ba5b9b97ce8 – Initial Payload (.Net Application)

SonicWall Capture Labs provides protection against this threat via the following signature:

• Injector.RPX (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.