Intro

In-the-wild exploitation of CVE-2024-51324 has been confirmed by Cisco Talos, where a financially motivated threat actor used a Bring Your Own Vulnerable Driver (BYOVD) tactic to disable endpoint defenses and deliver DeadLock ransomware. The attacker leveraged a signed, vulnerable Baidu Antivirus driver to kill EDR services at the kernel level, followed by PowerShell-based UAC bypass, Windows Defender shutdown, and full shadow copy deletion for maximum impact.

📌 CVE Context

– Product Affected: Baidu Antivirus driver `BdApiUtil.sys`
– Vulnerability: Improper Privilege Management
– CVE: CVE-2024-51324
– Attack Vector: Local (via user-mode loader)
– Privileges Required: None (driver provides kernel-level code execution without privilege check)
– Used in: Active DeadLock ransomware campaigns

CVSS Metric Breakdown (v4.0) - CVE-2024-51324 (Improper Privilege Management in Baidu Antivirus driver)
Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Confidentiality Impact (VC): High
Integrity Impact (VI): High
Availability Impact (VA): High
Scope Changed (SC): N
Safety Impact (SI): N
Automation (SA): N
Exploit Maturity: Weaponized / In the wild
Base Score: 9.0 (Critical)

– Exploit: “EDRGay.exe” loader drops “DriverGay.sys” (renamed BdApiUtil.sys)
– IOCTL 0x800024b4 triggers ZwTerminateProcess() via DeviceIoControl
– Victims: Windows systems, enterprise environments
– Impact: EDR termination, full disk encryption with custom stream cipher

🎯 EPSS Scoring

EPSS Score: 0.0004
Percentile: 0.12089

🔬 Exploitation Detail

The attacker drops the user-mode loader and renamed driver in the victim’s Videos folder, then runs the loader:

// Device handle to vulnerable driver
CreateFile("\\\\.\\BdApiUtil", ...)
// Send IOCTL to terminate target EDR PID
DeviceIoControl(handle, 0x800024b4, pid, ...)
// Driver executes ZwTerminateProcess() in kernel mode

The vulnerable driver does not validate the caller’s privileges, enabling any user-mode process to terminate arbitrary system processes, including EDR services.

📎 Attacker Behavior Snapshot

– Loader scans system processes → finds EDR PID
– Calls DeviceIoControl with IOCTL 0x800024b4
– Kernel driver executes ZwTerminateProcess without permission check
– Drops and runs PowerShell script for pre-encryption cleanup
– Executes ransomware with process hollowing → rundll32.exe spoofed

🧩 Why This Matters

This vulnerability highlights how improperly signed drivers and legacy antivirus software are repurposed into high-privilege attack vectors. Once a driver is signed and exploitable, attackers weaponize it in stealthy payload chains.

Exploitation results in:

• Complete EDR and AV bypass
• In-memory execution and stealthy persistence
• System-wide encryption with irreversible impact

🧩 MITRE ATT&CK Mapping

Execution: T1211 – Exploitation for Defense Evasion
Execution: T1059.001 – PowerShell
Privilege Escalation: T1548.002 – Bypass User Account Control
Persistence: T1219.002 – Remote Access Software (AnyDesk)
Defense Evasion: T1562.001 – Disable or Modify Tools
Impact: T1486 – Data Encrypted for Impact

🧪 Detection Rules

YARA Rule (Memory/Doc/PCAP)

rule DeadLock_Payload {
    meta:
        description = "Detects DeadLock ransomware binary in memory"
    strings:
        $key = "10581067105910871088" ascii
        $note = "military-grade encryption" ascii
        $marker = "<!doctype html>" ascii
    condition:
        all of them
}

Suricata or Zeek (Network)

alert http any any -> any any (msg:"DeadLock Ransomware - Session Messenger C2"; content:"session"; http_uri; nocase; classtype:trojan-activity; sid:51324; rev:1;)

Sigma Rule (SIEM/EDR)

title: EDR Process Terminated by Unsigned Executable
logsource:
  category: process_termination
detection:
  selection:
    TargetProcessName|contains: ["MsMpEng.exe", "EDR"]
    ParentImage|endswith: "EDRGay.exe"
  condition: selection
level: high

🔎 Detection Strategies

✅ Network Detection:

• Alert on AnyDesk installations shortly before encryption events
• Flag new Session messenger traffic from previously unseen hosts
• Detect RDP enabling and TCP 3389 rule insertions via netsh

✅ Endpoint Detection:

• Unsigned driver drop in user folders (Videos, Downloads)
• Execution of PowerShell scripts with shadow copy deletions
• Process hollowing into rundll32.exe with recent file timestamp

⚡ Splunk Query

index=win_logs EventCode=7045 OR EventCode=1
(Image="*DriverGay.sys" OR Image="*EDRGay.exe" OR CommandLine="*shadowcopy*")
| stats count by host, user, Image, CommandLine

🛠️ SOC Detection Strategy

– Monitor for untrusted driver loads via Sysmon Event ID 6
– Triage PowerShell scripts modifying Defender, deleting shadow copies
– Watch for registry changes enabling RDP and RemoteRegistry
– Alert on AnyDesk silent installs with password set

🛠️ Tools & Techniques

Tool | Usage
Sysmon | Detect driver loads, process hollowing, service manipulation
Zeek | Identify suspicious outbound encrypted sessions (Session messenger)
PowerShell Logs | Monitor UAC bypass and shadow copy deletion
Sigma | SIEM rule creation for EDR kill chain events

🛡️ Mitigation & Response

– Blocklist Baidu driver SHA256 hashes
– Enable Windows Kernel-mode Code Signing (KMCI)
– Use Group Policy to prevent unsigned driver loads
– Rotate credentials if RDP was enabled
– Confirm shadow copies exist on critical servers
– Monitor for new persistence mechanisms (AnyDesk, registry changes)

📋 Incident Response Snippets

🔍 Shadow copy deletion log:

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | ? { $_.Message -like "*shadowcopy*" }

❓ IR Questions:

• Was AnyDesk installed within 24h of encryption?
• Are there unsigned drivers in user-writable directories?
• Was TCP 3389 opened via netsh?
• Is rundll32.exe spawning encryption binaries?

🧹 Cleanup:

• Remove AnyDesk persistence entries
• Audit driver store for unsigned/suspicious drivers
• Reset RDP and firewall configurations

📚 Suggested Reading & External References

– Cisco Talos: [DeadLock ransomware campaign writeup](https://blog.talosintelligence.com/deadlock-byovd/)
– MITRE ATT&CK T1211 – BYOVD reference
– Previous BYOVD campaigns: BlackByte, AvosLocker
– [Snort Rules](https://www.snort.org/downloads) – SIDs 65575, 65576, 301358

🗾️ Final Thoughts

A signed antivirus driver from Baidu is being abused to kill EDR and enable full ransomware deployment using DeadLock. The attack chain is a prime example of how BYOVD remains a powerful tool in modern ransomware operations.

Patch, block, and monitor — and don’t trust any driver unless it’s verified AND validated.

Published: 2025-12-14