Qilin Ransomware Uses TPwSav.sys Driver to Bypass EDR Security Measures

Cybercriminals affiliated with the Qilin ransomware-as-a-service (RaaS) operation have demonstrated advanced evasion techniques by exploiting a previously undocumented vulnerable driver, TPwSav.sys, to disable Endpoint Detection and Response (EDR) systems through a bring-your-own-vulnerable-driver (BYOVD) attack.

First observed in July 2022, Qilin employs double extortion tactics, exfiltrating data for leakage on dedicated sites if ransoms remain unpaid, with affiliates earning 80-85% of payments.

Variants in Golang and Rust target Windows and Linux, offering customizable encryption modes including AES-256 with RSA-2048 or RSA-4096 using OAEP padding.

Recent incidents highlight shifts toward credential harvesting via Group Policy Objects (GPOs) deploying scripts like IPScanner.ps1 and logon.bat, reducing reliance on bulk data exfiltration.

In October 2024, the Qilin.B variant introduced self-deletion and event log clearing for enhanced stealth, underscoring the group’s adaptation to counter traditional security measures.

Detailed Attack Chain

The attack chain began with initial access via stolen credentials over SSL VPN from a Russian-hosted IP (31.192.107.144), establishing persistence through a Golang-based reverse proxy executable, main.exe, tunneling to a U.S.-based Shock Hosting IP (216.120.203.26).

Lateral movement exploited RDP and remote tools, followed by deployment of a legitimate signed updater, upd.exe, which sideloaded a malicious DLL, avupdate.dll.

This DLL decoded an XOR-encrypted payload from web.dat (key 0x6a), revealing a customized EDRSandblast tool that loaded TPwSav.sys, a 2015-signed Toshiba power-saving driver vulnerable to arbitrary memory read/write via IOCTL handlers mapped with MmMapIoSpace.

Exploiting these, attackers hijacked the Beep.sys driver’s BeepDeviceControl function by overwriting it with shellcode, enabling kernel-level arbitrary reads/writes through a custom IOCTL (0x222000).

This facilitated removal of kernel callbacks and event tracing providers, effectively neutralizing EDR hooks.

The ransomware binary, executed with embedded MSP credentials, encrypted files while appending random extensions, but Blackpoint’s SOC intervened by isolating systems, preventing data loss.

Analysis shows EDRSandblast’s pre-populated kernel offsets aided in locating structures like IofCompleteRequest, with physical-to-virtual mappings queried via SystemSuperfetchInformation for precise overwrites, bypassing read-only protections.

Implications for Proactive Defense

This incident exemplifies the sophistication of RaaS affiliates, likely sourcing customized tools from dark web markets, as TPwSav.sys shows no prior in-the-wild exploitation.

According to the report, Requiring administrative privileges for loading and memory enumeration, the technique demands deep Windows kernel knowledge, integrating public rootkit methods to overwrite driver handlers.

Historical data indicates Qilin targets industrials in North America, with 164 leaked victims, though actual numbers may exceed this due to undisclosed payments.

Blackpoint’s layered response real-time monitoring, rapid isolation, and threat hunting thwarted encryption in multiple encounters, emphasizing defense-in-depth over EDR reliance alone.

As ransomware evolves, organizations must prioritize vigilant monitoring and credential hygiene to counter such stealthy BYOVD exploits.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!