The Qilin ransomware operation, active since July 2022, has incorporated a previously unknown vulnerable driver called TPwSav.sys into their attack arsenal, enabling them to stealthily disable EDR protections through a technique known as bring-your-own-vulnerable-driver (BYOVD). Rather than using commonly detected vulnerable drivers that most EDR vendors have flagged, the threat actors strategically selected TPwSav.sys, a legitimate signed Windows kernel driver originally developed for power-saving features on Toshiba laptops and compiled in 2015. The successful integration of TPwSav.sys into the Qilin operation’s toolkit demonstrates the increasing sophistication of ransomware affiliates and their access to advanced tools through dark web marketplaces, highlighting the urgent need for enhanced detection mechanisms beyond traditional EDR solutions. Once the shellcode replaces the legitimate handler, it implements a custom IOCTL processor that responds to the command 0x222000, providing unrestricted kernel memory access capabilities that effectively neutralize most EDR solutions by removing kernel callback routines and event tracing mechanisms. These IOCTL handlers map physical memory addresses to virtual addresses using the MmMapIoSpace function, allowing the malware to read or modify memory contents before unmapping the address with MmUnmapIoSpace. This capability enables the attackers to bypass read-only memory protections by leveraging physical addresses to map and modify virtual address contents. The attack employs a sophisticated technique where the BeepDeviceControl function in the native Windows driver Beep.sys is overwritten with custom shellcode. Written in both Golang and Rust programming languages, Qilin targets Windows and Linux systems through a double extortion methodology, stealing and threatening to leak victim data if ransom demands are not met. Blackpoint analysts identified this sophisticated attack chain during a recent incident investigation, where the ransomware operators demonstrated advanced kernel-level manipulation capabilities. This file represents a Windows portable executable that has been XOR-encoded with the byte value 0x6a, demonstrating the attackers’ commitment to obfuscating their tools throughout the infection chain. The Qilin ransomware group operates under a ransomware-as-a-service model, offering affiliates substantial profit margins of 80% for ransom payments under $3 million and 85% for larger payments. The TPwSav.sys driver contains two critical IO control codes that enable arbitrary memory reading and writing operations, one byte at a time. The attack sequence begins with the deployment of a legitimate signed executable named upd.exe, which is actually the Carbon Black Cloud Sensor AV update tool. Cybercriminals have once again demonstrated their evolving sophistication by weaponizing an obscure Toshiba laptop driver to bypass endpoint detection and response systems. This hijacking process involves enumerating essential addresses, including Beep’s base address and the BeepDeviceControl offset, while retrieving virtual-to-physical address mappings through SystemSuperfetchInformation queries. This development represents a significant escalation in ransomware operators’ ability to evade traditional security measures that organizations have come to rely upon. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 31 Jul 2025 06:50:24 +0000