We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
VulnerableDriver:WinNT/Winring0.C
Aliases: No associated aliases
Summary
VulnerableDriver:WinNT/Winring0.C is a malicious version of a legitimate kernel-mode driver, WinRing0.sys, which contained a known vulnerability under CVE-2020-14979. The driver existed for many years before the vulnerability was discovered in 2020, it provides a way to access hardware components, such as CPU and memory without notification. The driver is bundled with several popular hardware-monitoring, overclocking, and RGB lighting control utilities, such as old versions of CapFrameX, EVGA Precision X1, FanCtrl, HWiNFO, Libre Hardware Monitor, MSI Afterburner, Open Hardware Monitor, OpenRGB, OmenMon, Panorama9, Razer Synapse, SteelSeries Engine, and ZenTimings.
The problem can be triggered through a technique known as Bring Your Own Vulnerable Driver (BYOVD) to exploit this vulnerable driver. It exploits the ring-0 driver in order to launch code with corrupted kernel-level privileges. Once the code runs, it can often be used to circumvent security protections to deactivate antivirus software, install ransomware, or to install persistent code for later attacks. Microsoft Defender identifies the vulnerable driver and blocks the attack vector.
- Determine which application installed the driver. Check the software vendor's website for a patched or updated version that no longer relies on WinRing0.
- If an update is not available, consider uninstalling the affected application to eliminate the vulnerability
- Use Microsoft Defender Antivirus to perform a full system scan to ensure no other malware is present that might have attempted to exploit the vulnerable driver.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
