Recent findings reveal that cybercriminals are exploiting an outdated Avast Anti-Rootkit driver to bypass security systems by disabling critical defense mechanisms. This approach allows threat actors to gain control of targeted computers, putting sensitive data and systems at risk.

Malware Tactics

The attack utilizes a variant of an AV Killer, deploying a list of 142 predetermined names related to various security processes.

Kernel-Level Access: By operating at the kernel level, the malware acquires extensive control over the operating system, facilitating the termination of security processes.

BYOVD Strategy: Trellix's cybersecurity experts identified this "bring-your-own-vulnerable driver" strategy, involving an old anti-rootkit driver, which effectively immobilizes security products on the affected system.

Process Execution: The malware known as *kill-floor.exe* places the vulnerable driver *ntfs.bin* in Windows' default user directory and creates a service named *aswArPot.sys* using the Service Control Manager.

Security Process Targeting: Equipped with a hardcoded list, the malware scans the system for active processes related to security tools. If a match is found, it initiates a handle to the Avast driver and uses the 'DeviceIoControl' API to execute termination commands.

The approach targets multiple antivirus and cybersecurity vendors, including McAfee, Symantec, Sophos, Trend Micro, Microsoft Defender, SentinelOne, ESET, and BlackBerry. The exploitation of the flawed driver allows hackers to deactivate security measures undetected, facilitating further malicious exploits.

Historical Context

This vulnerability in the Avast Anti-Rootkit kernel driver has been leveraged previously. In early 2022, researchers at Trend Micro linked similar tactics to AvosLocker ransomware attacks. Additionally, in December 2021, Stroz Friedberg’s Incident Response Services team reported Cuba ransomware using scripts exploiting Avast's driver function. SentinelLabs also acknowledged two high-severity vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in the driver, identified in 2016 and reported to Avast in December 2021. Avast addressed these silently in subsequent updates.

Defensive Measures

To mitigate threats related to vulnerable drivers, implementing detection and blocking rules for components based on signatures or hashes is crucial, as Trellix advises. Microsoft offers additional protections, including an updated vulnerable driver blocklist policy integrated into Windows 11 2022 and later releases, which is enabled by default to enhance operating system defense. These findings underscore the importance of maintaining updated security protocols and leveraging advanced threat detection methodologies.

The link has been copied!