Vulnerabilities in signed drivers are mostly utilized by game cheat developers to circumvent anti-cheat mechanisms, but they have also been observed being used by several APT groups and in commodity malware alike. Using cheating codes for video games can put a user's computer at risk of cyberattacks.


Vulnerabilities in signed drivers are used not only by game cheat developers to bypass cheat protection mechanisms, but also by APT groups.Experts from ESET analyzed the types of vulnerabilities that are usually found in kernel drivers, and found several vulnerable drivers in popular gaming software.
Unsigned drivers or drivers with vulnerabilities can often become an unsecured gateway to the Windows kernel for attackers.

While direct downloading of a maliciously unsigned driver is no longer possible in Windows 11 and Windows 10, and rootkits are considered a thing of the past, there are still ways to load malicious code into the Windows kernel, especially through the malicious use of legitimate signed drivers.

There are many drivers from hardware and software manufacturers that offer functionality to fully access the kernel with minimal effort. In the course of the study, ESET discovered vulnerabilities in the AMD μProf profile software, the popular Passmark performance testing tool and the PC Analyser system utility. The developers of all the affected programs released patches to address the vulnerabilities after ESET contacted them.
A common method used by cybercriminals and attackers to run malicious code in the Windows kernel is known as Bring Your Own Vulnerable Driver (BYOVD).

"When malware needs to run malicious code in the Windows kernel on x64-based systems with driver signing, having a vulnerable signed kernel driver seems like an acceptable option to do so. This method is known as Bring Your Own Vulnerable Driver, abbreviated as BYOVD, and has been seen to be used in real-world attacks by both high-end APT groups and mass malware," explained Peter Kálnai, senior malware researcher at ESET.
Examples of attackers using BYOVD include the Slingshot APT group, which implemented its core Cahnadr module as a kernel-mode driver, as well as the InvisiMole APT group discovered by researchers back in 2018. RobinHood ransomware is another example that uses a vulnerable GIGABYTE motherboard driver to disable driver signature checking and install its own malicious driver.