The doc attachment contacts a link, exploiting the Equation Editor vulnerability, and downloads an exe: the malware. Data is then exfiltered via SMTP to an email address.
BlackBasta exploits the “Bring Your Own Driver” technique. Sophos cybersecurity experts: Ransomware group abuses the CVE-2019-16098 to disable a list of over 1,000 drivers on which security products rely to provide protection
“Bring Your Own Driver” is a new technique exploited by BlackBasta ransomware group to bypass security products by abusing a known vulnerability (CVE-2019-16098) in the legitimate vulnerable driver RTCore64.sys. Sophos cybersecurity experts discovered this. The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection. RTCore64.sys and RTCore32.sys are drivers used by Micro-Star’s MSI AfterBurner 22.214.171.12458, a widely used graphics card overclocking utility that gives extended control over graphic cards on the system. CVE-2019-16098 allows an authenticated user to read and write to arbitrary memory, which could be exploited for privilege escalation, code execution under high privileges, or information disclosure. The I/O control codes in RTCore64.sys are directly accessible by user-mode processes. IOCTL codes allow callers to read or write nonspecific areas of kernel memory is considered dangerous. No shellcode or exploit is required to abuse the vulnerability — just accessing these control codes with malicious intent.