Baidu · Baidu Antivirus · CVE-2024-51324
**Name of the Vulnerable Software and Affected Versions**
Baidu Antivirus version 5.2.3.116083
**Description**
An issue in the `BdApiUtil` driver of Baidu Antivirus allows attackers to terminate arbitrary processes by executing a Bring Your Own Vulnerable Driver (BYOVD) attack. The DeadLock ransomware has been observed leveraging this vulnerability (CVE-2024-51324) to disable Endpoint Detection and Response (EDR) systems. Attackers utilize a PowerShell script to bypass User Account Control (UAC), disable Windows Defender, and delete shadow copies of volumes, hindering system recovery. The ransomware employs a custom, time-based encryption cipher to avoid standard Windows cryptographic APIs, encrypting files with the “.dlock” extension. The attackers gain persistent access to the network, often establishing remote access via tools like AnyDesk prior to ransomware deployment. The exploitation involves manipulating Windows security processes, such as modifying Windows Defender settings using `SystemSettingsAdminFlows.exe` to disable real-time protection and cloud-based defenses. The `CreateFile`, `ZwTerminateProcess`, and `Test-Admin` functions are involved in the attack chain, along with Windows APIs like `DeviceIOControl` and `GetSystemTimeAsFileTime`, and Windows services such as `Eventlog` and `msmpeng`.
**Recommendations**
Versions prior to 5.2.3.116083 should be updated.
As a temporary workaround, consider disabling the `BdApiUtil` driver until a patch is available.
Restrict access to the vulnerable driver `BdApiUtil` to minimize the risk of exploitation.