HQ/EMEAFind out how we can help your business
A newly discovered cybercriminal operation currently exploits the alleged insecure and outdated Avast Anti-Rootkit driver.
Based on reports, this campaign allows threat actors to bypass detection and acquire control of the compromised system by disabling security components. The researchers noted that the threat actor’s malware in this campaign could dump the driver in a non-specific AV Killer version.
Moreover, it includes a hardcoded list of 142 names for security processes from various vendors. The driver can work at the kernel level, enabling malware to terminate processes. It also gains access to vital areas of the operating system and enables malware to terminate processes.
The Avast anti-rootkit driver exploit was discovered through a BYOVD operation.
The exploit on the Avast anti-rootkit driver allegedly uses the bring-your-own-vulnerable-driver (BYOVD) technique and an old version of the anti-rootkit driver to turn off security products on a targeted system.
The researchers explained that malware called kill-floor.exe places the vulnerable driver ntfs.bin in the default Windows user folder. The virus then builds the service ‘aswArPot.sys’ with the Service Control (sc.exe) and registers the driver.
Subsequently, the malicious payload then compares a hardcoded list of 142 security-related processes against several snapshots of active processes on the system. Once a match is found, the malware generates a handle to reference the installed Avast driver.
It also uses the ‘DeviceIoControl’ API to execute the necessary IOCTL commands to terminate it and target processes from various security solutions. Furthermore, the malware can carry out destructive operations without alerting the user or being stopped with safeguards turned off.
It is worth noting that separate research discovered the exploited driver and related operations a couple of years ago while analysing an AvosLocker ransomware attack. On the other hand, another assessment found that the Cuba ransomware employed a script that exploited a feature in Avast’s Anti-Rootkit kernel driver to disable security solutions on target PCs.
Around the same time, researchers discovered two high-severity vulnerabilities that have been present since 2016 that could be exploited to elevate privileges, allowing them to disable security solutions.
Reports claim that the impacted company has already released patches to address the two flaws. The recent exploit remains to be verified, as more details have yet to be uncovered.
