418/67 Monday, November 25, 2024
Security researchers at Trellix have uncovered an attack campaign leveraging the “Bring-Your-Own-Vulnerable-Driver” (BYOVD) technique. The attackers exploit an outdated and vulnerable driver from Avast Anti-Rootkit to bypass detection and disable security systems. According to the researchers, the malware used in this campaign, classified as an AV Killer, is not tied to any specific malware family. It includes a hardcoded list of 142 security processes from various vendors.
The attack begins with the deployment of a file named kill-floor.exe, which drops the vulnerable driver (file name ntfs.bin) into a user directory on a Windows system. The malware then creates a service called aswArPot.sys via Service Control (sc.exe) and registers the driver. It monitors running processes on the system, comparing them to a predefined list. If a match is found, the malware generates a “Handle” to reference the installed Avast driver and uses the IOCTL command through the DeviceIoControl API to terminate the targeted process.
This malware can disable security solutions from multiple vendors, including McAfee, Symantec, Sophos, Trend Micro, Microsoft Defender, SentinelOne, and ESET. Once security protections are disabled, the malware can carry out malicious activities undetected.
The campaign bears similarities to previous attacks, such as those involving AvosLocker ransomware in 2022 and Cuba ransomware in 2021, both of which utilized Avast’s Anti-Rootkit driver to disable security systems. SentinelLabs also identified critical vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in the driver, which date back to 2016. Although Avast patched these vulnerabilities in 2021, the use of vulnerable drivers remains a significant threat.