Qilin Ransomware Leverages TPwSav.sys Driver to Disable EDR Security Measures

Cybercriminals have once again demonstrated their evolving sophistication by weaponizing an obscure Toshiba laptop driver to bypass endpoint detection and response systems.

The Qilin ransomware operation, active since July 2022, has incorporated a previously unknown vulnerable driver called TPwSav.sys into their attack arsenal, enabling them to stealthily disable EDR protections through a technique known as bring-your-own-vulnerable-driver (BYOVD).

This development represents a significant escalation in ransomware operators’ ability to evade traditional security measures that organizations have come to rely upon.

The Qilin ransomware group operates under a ransomware-as-a-service model, offering affiliates substantial profit margins of 80% for ransom payments under $3 million and 85% for larger payments.

Written in both Golang and Rust programming languages, Qilin targets Windows and Linux systems through a double extortion methodology, stealing and threatening to leak victim data if ransom demands are not met.

The group maintains strict operational security by prohibiting attacks against Commonwealth of Independent States countries, a common practice among Russian-speaking cybercriminal organizations.

Blackpoint analysts identified this sophisticated attack chain during a recent incident investigation, where the ransomware operators demonstrated advanced kernel-level manipulation capabilities.

The attack sequence begins with the deployment of a legitimate signed executable named upd.exe, which is actually the Carbon Black Cloud Sensor AV update tool.

However, instead of loading its legitimate counterpart, the executable sideloads a malicious dynamic link library called avupdate.dll, which serves as the initial payload delivery mechanism.

The malicious DLL contains an exported function called avupdate_get_version that performs multiple anti-analysis techniques, including virtual machine detection and debugging checks, before loading and executing an encoded file named web.dat.

This file represents a Windows portable executable that has been XOR-encoded with the byte value 0x6a, demonstrating the attackers’ commitment to obfuscating their tools throughout the infection chain.

Advanced Kernel-Level EDR Bypass Mechanism

The decoded web.dat file reveals itself as a heavily customized variant of EDRSandblast, an open-source tool designed to disable EDR products at the kernel level.

Rather than using commonly detected vulnerable drivers that most EDR vendors have flagged, the threat actors strategically selected TPwSav.sys, a legitimate signed Windows kernel driver originally developed for power-saving features on Toshiba laptops and compiled in 2015.

The TPwSav.sys driver contains two critical IO control codes that enable arbitrary memory reading and writing operations, one byte at a time.

These IOCTL handlers map physical memory addresses to virtual addresses using the MmMapIoSpace function, allowing the malware to read or modify memory contents before unmapping the address with MmUnmapIoSpace.

This capability enables the attackers to bypass read-only memory protections by leveraging physical addresses to map and modify virtual address contents.

The attack employs a sophisticated technique where the BeepDeviceControl function in the native Windows driver Beep.sys is overwritten with custom shellcode.

This hijacking process involves enumerating essential addresses, including Beep’s base address and the BeepDeviceControl offset, while retrieving virtual-to-physical address mappings through SystemSuperfetchInformation queries.

Once the shellcode replaces the legitimate handler, it implements a custom IOCTL processor that responds to the command 0x222000, providing unrestricted kernel memory access capabilities that effectively neutralize most EDR solutions by removing kernel callback routines and event tracing mechanisms.

The successful integration of TPwSav.sys into the Qilin operation’s toolkit demonstrates the increasing sophistication of ransomware affiliates and their access to advanced tools through dark web marketplaces, highlighting the urgent need for enhanced detection mechanisms beyond traditional EDR solutions.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches