Ddos 
Infection Chain | Image: Trellix
The Trellix Advanced Research Center has uncovered a malicious campaign that turns trusted security tools against their users. This campaign, detailed in their report, reveals how attackers exploited the Avast Anti-Rootkit driver, aswArPot.sys, to bypass defenses, terminate security processes, and seize control of systems.
“Instead of bypassing defenses, this malware takes a more sinister route,” the report explains. The attackers dropped the legitimate Avast Anti-Rootkit driver into the system, leveraging its kernel-level privileges to carry out their malicious activities. By disguising the driver as ntfs.bin in the system directory, the malware avoided detection and raised no immediate alarms.
Once deployed, the malware created a service using the command-line utility sc.exe. With the driver active, it gained unrestricted access to the operating system, enabling it to disable antivirus and endpoint detection and response (EDR) solutions.
The infection chain begins with the malware, named kill-floor.exe, dropping the Avast driver and registering it as a service. From there, the malware:
- Monitors Processes: It enters a loop to snapshot active processes on the system, comparing them against a hardcoded list of 142 well-known security processes.
Image: Trellix - Weaponizes Drivers: Using the DeviceIoControl API and the 0x9988c094 IOCTL code, the malware commands the Avast driver to terminate targeted processes. “Kernel-mode drivers can override user-mode processes,” the report states, making it impossible for security software to resist these tampering attempts.
What makes this attack particularly insidious is its reliance on a legitimate security driver to do its dirty work. Kernel-mode drivers, designed to protect systems at the deepest levels, are now tools for destruction. “The Avast driver utilizes Windows kernel functions like KeAttachProcess and ZwTerminateProcess to terminate security processes on behalf of the malware,” the report notes.
This method of attack, known as Bring Your Own Vulnerable Driver (BYOVD), highlights a significant weakness in current defense mechanisms: the inability to differentiate between legitimate and malicious use of trusted drivers.
Trellix emphasizes the importance of BYOVD-specific protection mechanisms to counter such threats. By deploying expert rules to detect and block vulnerable drivers based on unique signatures or hashes, organizations can prevent their exploitation. Integrating these protections into endpoint detection and response solutions adds a crucial layer of defense.
Related Posts:
- New VMware Findings: Kernel Drivers’ Vulnerabilities Risk Total Device Takeover
- Avast Faces $14.8 Million Penalty for Data Protection Violations
- Justice Department Seizes 41 Domains Used by Russian Intelligence in Massive Cyber Espionage Takedown
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
