Qilin Ransomware and the Hidden Dangers of BYOVD

Cybercriminals continue to employ sophisticated tactics intended to evade traditional Endpoint Detection and Response (EDR), while maintaining a low profile and limiting the noise created by these activities. A recent incident involving Qilin ransomware highlighted the evolving tactics of cybercriminals and the effectiveness of proactive defense. It’s important to understand the nefarious tooling and methodology now being leveraged due to historical organizational reliance of traditional EDR and the false sense of security that has arguably evolved from this.

In this blog, we will unpack how Qilin ransomware affiliates leveraged a previously unknown driver, TPwSav.sys, to stealthily disable EDR measures, a technique known as bring-your-own-vulnerable-driver (BYOVD). We’ll walk through the entire attack chain, from the initial compromise using stolen credentials to the final attempt at deploying ransomware. Most importantly, we’ll explain how the SOC’s rapid isolation of impacted systems and layered security approach thwarted the attackers’ tactics. By highlighting the capabilities and implications of exploiting newly discovered drivers, this blog aims to deepen your understanding of advanced ransomware threats and the proactive defenses necessary to counter them.

Qilin (aka: Agenda) ransomware was first observed in July 2022. It operates through a double extortion method, where victims’ data is stolen and leaked via a data leak site (pictured below) if the ransom demand is not paid. Qilin maintains variants that are written in both Golang and Rust programming languages and targets both Windows and Linux operating systems. Qilin operates as a ransomware-as-a-service (RaaS). Affiliates earn 80% of a payment of ransom demands of less than $3 million and 85% of ransom payments over $3 million.

Qilin affiliates have been observed gaining initial access via social engineering attacks like phishing emails with malicious attachments, and valid credentials that have been leaked and/or purchased.

A purported recruiter for the Qilin operation posted on a Russia-language cybercriminal forum advertising the RaaS, offering positions to qualified affiliates, and stating that affiliates are not allowed to target Commonwealth of Independent States (CIS) countries. This rule is commonly observed in ransomware operations.

The Qilin affiliates have multiple options in the Qilin panel, indicating the ransomware is customizable for each victim. Affiliates can create and edit blog posts that contain information about attacked companies that have not paid a ransom, create accounts for members of their team by entering their nickname and credentials, and access support for the ransomware. Operators can customize the directories that will be skipped, files that will be skipped, processes that will be killed, mode of encrypting, and list of VMs that will not be killed/shut down.

The Linux variant is compiled with GCC 11 in the ELF64 format and is 1.32MB in size. This variant, like the Windows variant, provides a number of options for the affiliates to ensure that the right files are encrypted.

Qilin ransomware offers multiple encryption methods, which are configurable by the affiliate through the panel. One option uses AES-256 encryption to encrypt the files on the victim’s system and uses RSA-2048 to encrypt the generated key. Files are appended with a new random extension. The Linux version uses OpenSSL, and the public key is

hardcoded at the address 0x004EB3A8. The statically linked OpenSSL library is used to facilitate the loading of the public key.

In August 2024, security researchers with Sophos reported that the Qilin ransomware group targeted a victim via compromised credentials.  The dwell time in the victim environment was 18 days. The operators edited the domain policy to introduce a logon-based Group Policy Object (GPO) containing two items: A PowerShell script, IPScanner.ps1, and a batch script, logon.bat.

The combination of the two scripts resulted in harvesting of credentials saved in Chrome browsers on machines connected to the network. This activity indicates that Qilin is likely changing tactics to include credential harvesting rather than exfiltrating large amounts of victim-specific data.

In October 2024, Halcyon security researchers reported a new and updated version of the Qilin ransomware variant, dubbed “Qilin.B”. Qilin.B is written in the Rust programming language. According to the research by Halcyon, Qilin.B supports AES-256-CTR encryption for systems with Advanced Encryption Standard New Instructions (AES-NI) capabilities. Qilin.B uses RSA-4096 with Optimal Asymmetric Encryption Padding (OAEP) to safeguard encryption keys.

Qilin.B was updated with new defense evasion techniques as well. Qilin.B still terminates services associated with security tools, clears Windows Event Logs, but also deletes itself to reduce indication that the malware was there.

Blackpoint’s Security Operations Center (SOC) has encountered at least two incidents that included the use of Qilin ransomware. In both cases, Blackpoint’s SOC successfully prevented encryption by isolating impacted devices and working with partners to mitigate the threat.

Qilin has listed 164 victims on their data leak site, with most of those victims being in the Industrials (Construction & Engineering) vertical. Qilin’s ransomware has targeted victims worldwide; with most of their reported victims  in North America.

The following graphs show the victims that were named on Qilin’s data leak site by industry and location. It is likely that the number of victims is higher when considering some victims either paid the ransom and/ordidn’t disclose the ransomware attack.

The victim’s SSL VPN logs indicated a connected session from IP address 31.192.107[.]144 beginning on December 12, 2024, and lasted for over 6 hours. Another session began later in the day for an additional hour and a half. The IP belongs to the cloud service provider HOSTKEY based out of Russia.

On one machine an executable named main.exe opened a reverse proxy to the IP 216.120.203[.]26 via secure shell (SSH). The IP belongs to the cloud hosting provider Shock Hosting. Written in Golang, the main.exe executable leveraged several open-sourced networking libraries with the simple purpose of exposing a remote tunnel into the network. The attacker proceeded to connect to internal machines using remote desktop protocol (RDP) and remote management tools.

The attacker deployed a legitimate signed executable named upd.exe which sideloads a malicious dynamic link library (DLL) named avupdate.dll. The DLL was responsible for decoding and loading a customized version of the EDR killing tool named EDRSandblast.

When the ransomware is executed from the command line with the correct password, it outputs debug statements detailing each step of its operation. The sample also contains an embedded target account email address and password, which were used for initial access and lateral movement. Notably, the embedded account credentials belong to the managed service provider (MSP) associated with the targeted customer.

Figure 1: Ransomware execution

Figure 2: Embedded username and password

The image below is a sample ransom note of the Qilin.B variant.

Figure 3: Qilin ransom note

The following depicts how the ransomware successfully executed and bypassed the installed EDR before Blackpoint’s SOC prevented any further harm.

There were several files involved in the attack, including files named upd.exe, avupdate.dll, web.dat and TPwSav.sys.

The upd.exe portable executable (PE) is the Carbon Black Cloud Sensor AV update tool. In a normal setting, it loads a dynamic link library (DLL) named avupdate.dll to perform various update functions. In this case, the avupdate.dll sample contained malicious code.

Figure 4: Imported library and functions for upd.exe

An exported function from avupdate.dll named avupdate_get_version is tasked with loading and executing a file called web.dat using dynamically resolved Windows APIs. Additionally, it performs various anti-analysis techniques, such as detecting the presence of a virtual machine and checking if it is being debugged, to evade analysis and hinder reverse engineering efforts.

Figure 5: Malicious exported function

The web.dat file is a windows PE which is XOR encoded with the byte value 0x6a.

Figure 6: Decoding web.dat

The decoded PE is a customized variant of the tool EDRSandblast, designed to disable EDR products at the kernel level by exploiting a vulnerable signed driver. The tool includes a pre-populated list of kernel module address offsets, enabling it to locate critical functions and data structures within kernel memory.

Rather than relying on one of the standard vulnerable drivers supported by the tool, the threat actor (TA) opted to use a driver named TPwSav.sys. This driver, originally developed for power-saving features on Toshiba laptops, is a signed Windows kernel driver, making it an attractive choice for bypassing EDR protections through a bring-your-own-vulnerable-driver (BYOVD) attack.

Figure 7: EDRSandblast loading TPwSav.sys

TPwSav.sys contains two IO control codes (IOCTLs) mapped to functions which allow arbitrary reading and writing of memory one byte at a time.

Figure 8: IOCTL handler in TPwSav.sys

Each function maps a physical memory address to its corresponding virtual address using the MmMapIoSpace function. It then either reads a single byte back into the input buffer or modifies it before unmapping the address with MmUnmapIoSpace.

Figure 9: Vulnerable functions in TPwSav.sys

Read-only memory protections can be bypassed by leveraging physical addresses to map virtual addresses and modify their contents. A common technique employed by rootkit authors is to overwrite the address of a legitimate driver’s major function handler with shellcode. Once modified, the handler is invoked, enabling the attacker to hijack its execution flow.

In this case, the TA used these capabilities to overwrite the BeepDeviceControl function in the native Windows driver Beep.sys. The shellcode replacing this function implements a custom handler that processes an IOCTL of 0x222000, providing the ability to perform arbitrary read and write operations on kernel memory.

The HijackBeep function plays a critical role in enumerating essential addresses, including Beep’s base address, the offset of BeepDeviceControl, and the address of IofCompleteRequest. Additionally, it retrieves virtual-to-physical address mappings by querying SystemSuperfetchInformation, specifically through the SuperFetchMemoryRangesQuery. Using the table of virtual-to-physical mappings, the function overwrites the BeepDeviceControl handler with the attacker’s shellcode. Before doing so, it patches the shellcode to include the relative offset to IofCompleteRequest found in the imports table, ensuring seamless execution of the hijacked code path.

Figure 10: BeepDeviceControl hijacking code

Figure 11: Custom shellcode handler

Two functions are repeatedly invoked to execute the shellcode, enabling either an arbitrary read or write operation to any specified memory address. The input buffer, 24 bytes in size, includes the following parameters: the target memory address to read from or write to, an operation flag indicating the desired action (read or write), the size of the data to be read or written, and a data buffer that either stores the result of a read operation or contains the data to be written. These functions provide precise control over memory manipulation, facilitating the exploit’s objectives.

Figure 12: EDRSandblast arbitrary read code

Figure 13: EDRSandblast arbitrary write code

The TA proceeds with removing kernel callback routines and kernel event tracing, rendering most EDR solutions ineffective.

Figure 14: Removing callbacks and event tracing provider

As of this writing, there is no public evidence of in-the-wild exploitation involving TPsSav.sys beyond the activity observed by Blackpoint’s SOC. Compiled in 2015 and holding a valid signature, this driver is an appealing candidate for BYOVD attacks aimed at disabling EDR. While interacting with the driver requires only low-level privileges, loading it and enumerating physical memory demand administrative privileges.

By default, the EDRSandblast tool is configured to utilize three known vulnerable drivers that are already flagged as suspicious and likely blocked by most EDR vendors. To circumvent detection, malware authors customizing this tool often replace these drivers with a different vulnerable driver that remains undetected.

Customizing EDRSandblast is not a novel concept, and examples of techniques used to overwrite code sections of Beep.sys with shellcode are publicly available. However, the expertise required to seamlessly integrate these components and execute the attack effectively remains a significant challenge. This was demonstrated by a sophisticated threat actor who successfully implemented the technique, showcasing a high level of skill and deep understanding of the Windows kernel to achieve their objectives.

Considering that the Qilin sample represents a secondary variant distributed to affiliates through a Ransomware-as-a-Service (RaaS) model, it is highly probable that the customized EDR bypass tool was also acquired via dark web marketplaces.

The Qilin incident underscores how ransomware continuously evolves to exploit vulnerabilities. The attackers used a stealthy driver-loaded payload, emphasizing the need for vigilant threat hunting and real-time monitoring. Yet, Blackpoint’s SOC quickly isolated affected systems, investigated malicious activity, and applied a defense-in-depth strategy to neutralize the threat before significant damage occurred. This case highlights the importance of ongoing vigilance, robust partnerships, and continuous security investments to counter rapidly evolving cyber threats.