CVE-2024-51324

Name of the Vulnerable Software and Affected Versions Baidu Antivirus version 5.2.3.116083

Description An issue in the BdApiUtil driver of Baidu Antivirus allows attackers to terminate arbitrary processes by executing a Bring Your Own Vulnerable Driver (BYOVD) attack. The DeadLock ransomware has been observed leveraging this vulnerability (CVE-2024-51324) to disable Endpoint Detection and Response (EDR) systems. Attackers utilize a PowerShell script to bypass User Account Control (UAC), disable Windows Defender, and delete shadow copies of volumes, hindering system recovery. The ransomware employs a custom, time-based encryption cipher to avoid standard Windows cryptographic APIs, encrypting files with the “.dlock” extension. The attackers gain persistent access to the network, often establishing remote access via tools like AnyDesk prior to ransomware deployment. The exploitation involves manipulating Windows security processes, such as modifying Windows Defender settings using SystemSettingsAdminFlows.exe to disable real-time protection and cloud-based defenses. The CreateFile, ZwTerminateProcess, and Test-Admin functions are involved in the attack chain, along with Windows APIs like DeviceIOControl and GetSystemTimeAsFileTime, and Windows services such as Eventlog and msmpeng.

Recommendations Versions prior to 5.2.3.116083 should be updated. As a temporary workaround, consider disabling the BdApiUtil driver until a patch is available. Restrict access to the vulnerable driver BdApiUtil to minimize the risk of exploitation.