Qilin Ransomware’s Linux Version Attacks Windows Systems Using Remote Management Tools and BYOVD
New Qilin Ransomware Variant: How a Linux Threat Cripples Windows Systems
The cybersecurity landscape is in a constant state of flux, with threat actors continuously devising new methods to bypass even the most robust defenses. In a significant and alarming development, the Qilin ransomware group has unleashed a sophisticated Linux variant designed specifically to target and encrypt Windows systems operating within VMware ESXi environments. This cross-platform attack strategy marks a dangerous evolution in ransomware tactics, combining stealth, legitimate tools, and advanced evasion techniques.
The Cross-Platform Attack Vector: Targeting ESXi
At the heart of this campaign is a clever exploitation of virtualized infrastructure. The attackers deploy a Linux-based encryptor to compromise VMware ESXi hosts. By gaining control of the hypervisor—the foundational software that runs virtual machines (VMs)—they gain access to all the guest systems running on it. This allows them to effectively target and encrypt Windows servers and workstations from the outside in, bypassing many security measures that are focused on the individual Windows operating system.
This approach is highly efficient for attackers, as compromising a single ESXi host can lead to the encryption of dozens or even hundreds of critical systems, causing widespread operational paralysis.
Hijacking Legitimate Tools for Malicious Control
To navigate compromised networks and execute their payload, the Qilin operators are leveraging legitimate remote management software. Two tools, in particular, have been identified in recent attacks:
- AnyDesk: A popular remote desktop application.
- ITarian Remote Access: A tool often used by IT administrators for system management.
By using these trusted applications, the threat actors can blend in with normal network traffic, making their activities much harder to detect. They use this remote access to move laterally within the network, escalate their privileges, and ultimately position their ransomware for deployment on the ESXi host.
The Ace Up Their Sleeve: Bring Your Own Vulnerable Driver (BYOVD)
Perhaps the most sophisticated element of this attack is the use of a Bring Your Own Vulnerable Driver (BYOVD) technique. This method allows attackers with administrative access to load a legitimate, but vulnerable, third-party driver into the Windows kernel—the core of the operating system.
In this campaign, Qilin affiliates are using a specific vulnerable driver known as zam64.sys. This driver is associated with the Zemana AntiMalware security product. While the driver itself is legitimate, it contains known vulnerabilities that can be exploited to gain kernel-level privileges.
Once this driver is loaded, attackers gain near-total control over the system. Their primary goal is to use these elevated permissions to forcibly terminate security processes and services. This includes deactivating antivirus (AV) software, Endpoint Detection and Response (EDR) agents, and other security tools that would otherwise detect and block the ransomware’s encryption routine. By disabling these defenses, the ransomware can operate completely unopposed.
How to Defend Against This Evolving Threat
The multi-faceted nature of the Qilin ransomware attack requires a layered and proactive security posture. Organizations, especially those relying on virtualized environments, should prioritize the following defensive measures:
Harden ESXi Hosts: Your hypervisors are a high-value target. Ensure they are fully patched, protected by strong and unique credentials, and that management access is restricted to a secure, limited number of administrators. Use network segmentation to isolate ESXi management interfaces from the general corporate network.
Monitor and Control Remote Access Software: The use of tools like AnyDesk and ITarian should be strictly monitored and controlled. Implement application control policies to allow only approved remote access solutions and audit their usage regularly for any suspicious activity.
Implement Driver Control Policies: The BYOVD technique relies on the ability to load new drivers. Use application control solutions, such as Windows Defender Application Control (WDAC) or AppLocker, to create policies that prevent the loading of unauthorized or known-vulnerable drivers. Maintaining a driver blocklist is a critical defense against this tactic.
Enhance Endpoint and Server Monitoring: Ensure your EDR solution is configured to detect and alert on suspicious behavior, such as the termination of security agent processes or the loading of unusual drivers. Kernel-level monitoring can provide crucial visibility into BYOVD attempts.
Maintain Immutable and Offline Backups: In the event of a successful ransomware attack, your backups are your last line of defense. Follow the 3-2-1 rule (three copies of your data, on two different media, with one copy off-site) and ensure at least one copy is immutable or stored offline, where it cannot be targeted by the ransomware.
The Qilin ransomware’s latest variant is a stark reminder that threat actors are relentlessly innovating. By understanding their tactics—from cross-platform attacks to sophisticated BYOVD techniques—organizations can better prepare and fortify their defenses against these devastating cyber threats.
Source: https://securityaffairs.com/183891/malware/linux-variant-of-qilin-ransomware-targets-windows-via-remote-management-tools-and-byovd.html
