Hackers Exploit Avast Anti-Rootkit Driver to Disable Security Defenses

November 23, 2024

A malicious campaign has been detected that exploits a legitimate but outdated Avast Anti-Rootkit driver to bypass detection and take control of the targeted system by disabling security components. The malware, a variant of an AV Killer, uses a hardcoded list of 142 names of security processes from various vendors. Because the driver operates at the kernel level, it grants access to crucial parts of the operating system and enables the malware to terminate processes.

Cybersecurity firm Trellix discovered this new attack that employs the bring-your-own-vulnerable-driver (BYOVD) technique with an antiquated version of the anti-rootkit driver to halt security products on a targeted system. A piece of malware named kill-floor.exe drops the susceptible driver, named ntfs.bin, in the default Windows user folder. Following this, the malware establishes the service ‘aswArPot.sys’ using the Service Control (sc.exe) and registers the driver.

The malware then cross-references a hardcoded list of 142 processes related to security tools with multiple snapshots of active processes on the system. Trellix researcher Trishaan Kalra noted that when a match is found, "the malware creates a handle to reference the installed Avast driver." It then uses the ‘DeviceIoControl’ API to issue the necessary IOCTL commands to terminate the process.

The malware targets processes from a variety of security solutions, including McAfee, Symantec (Broadcom), Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, and BlackBerry. Once defenses are deactivated, the malware can carry out malicious activities without alerting the user or being blocked.

The driver and similar procedures were noted by Trend Micro researchers in early 2022 during an investigation into an AvosLocker ransomware attack. In December 2021, the Stroz Friedberg’s Incident Response Services team found that Cuba ransomware used a script that exploited a function in Avast's Anti-Rootkit kernel driver to kill security solutions on victim's systems. Around the same time, researchers at SentinelLabs discovered two high-severity flaws (CVE-2022-26522 and CVE-2022-26523) that had been present since 2016, which could be exploited "to escalate privileges enabling them to disable security products." These issues were reported to Avast in December 2021 and the company quietly addressed them with security updates.

Protection against attacks that exploit vulnerable drivers is achievable by using rules that can identify and block components based on their signatures or hashes. Microsoft also provides solutions, such as the vulnerable driver blocklist policy file, which is updated with every major Windows release. Starting with Windows 11 2022, this list is activated by default on all devices. The latest version of the list can be accessed through App Control for Business.

Latest News

• Zyxel Firewalls Exploited in Recent Ransomware Attacks
• Russian Hackers Breach U.S. Firm via 'Nearest Neighbor Attack' Using WiFi
• APT-K-47 Utilizes Hajj-Related Deception to Distribute Enhanced Asyncshell Malware
• Palo Alto Networks Firewalls Compromised by Hackers Exploiting Recent Vulnerabilities
• Google's AI-Driven OSS-Fuzz Uncovers 26 Flaws in Open-Source Projects