Threat actors are increasingly exploiting legitimate signed software to gain elevated privileges and bypass system defenses. 

In this month’s campaign, we will explore the RTCore driver (RTCore64.sys) from MSI™ Afterburner, used for overclocking graphics cards, and how, when running in kernel mode, it can provide low-level access to hardware.

Overview of the RTCore driver exploitation 

While designed for GPU tuning, MSI™ Afterburner’s powerful I/O control interfaces (IOCTLs) create security risks that adversaries can exploit in various attacks: 

• Arbitrary kernel memory read and write 

• Local privilege escalation (LPE) to NT AUTHORITY\SYSTEM 

• Tampering with kernel security structures and callbacks 

• Execution of unsigned Portable Executable (PE) binaries directly in kernel space 

Attackers utilize a strategy known as Bring Your Own Vulnerable Driver (BYOVD) to gain kernel-level control by installing legitimately signed drivers with known vulnerabilities. Malware such as BlackByte ransomware has been seen loading RTCore64.sys to disable endpoint protection and execute payloads with system privileges. 

Get your team ransomware-ready with Cyberbit

Known vulnerabilities in the RTCore driver 

Over the years, security researchers have discovered multiple vulnerabilities in MSI Afterburner’s RTCore driver that could be leveraged for malicious purposes. Below is a list of some major issues. 

• CVE-2019-16098 (Arbitrary Kernel Memory Access): Critical flaw allowing any authenticated user to read and write arbitrary memory in the Windows kernel via RTCore’s IOCTL interface.  

• CVE-2024-1443 (Denial-of-Service via IOCTL): Sending a specific IOCTL code (0x80002000) to RTCore could crash the system (bugcheck/BSOD), resulting in a local denial of service Reference – nvd.nist.gov. While not directly giving elevated privileges, a crash-inducing bug in a kernel driver can be leveraged for nuisance or as part of an exploit chain. 

• CVE-2024-1460 (Kernel Memory Leak): Allows mapping physical memory into virtual address space, leaking contents of kernel memory. By invoking IOCTL 0x80002040, a user could map a portion of physical address space (e.g., the BIOS memory range) into non-paged kernel memory and obtain its address.  

• CVE-2024-3745 (Device ACL Bypass): A security control bypass found in MSI Afterburner 4.6.6 Beta 3. Due to an implementation mistake, a low-privileged user could open a handle to the driver, bypassing the intended Access Control List. In effect, any local user could send IOCTLs to RTCore despite the security descriptor. 

What you’ll learn in this spotlight 

In this spotlight, you’ll explore a purple campaign breaking down the real technique of driver exploitation used in this month’s Rough RDP (APT29) LFE, researched and exploited by our malware researchers. 

Here’s what you’ll learn: 

• The exploitation history of RTCore driver and how system-level access is achieved. 

• Real-world examples and tools exploiting RTCore driver vulnerabilities. 

• How the exploitation of RTCore64.sys can be leveraged to create a stealthy SYSTEM-level payload delivery pipeline.  

• Explore the code of a Cyberbit attack simulation module demonstrating the misuse and execution of Windows internals through privilege manipulation. 

[attack flow diagram] 

• How to defend against the abuse of vulnerable drivers like RTCore.