Hackers abuse Avast anti-rootkit driver to disable defenses

 

A brand new malicious marketing campaign is utilizing a reliable however previous and weak Avast Anti-Rootkit driver to evade detection and take management of the goal system by disabling safety parts.

The malware that drops the motive force is a variant of an AV Killer of no specific household. It comes with a hardcoded record of 142 names for safety processes from varied distributors.

Because the driver can function at kernel degree, it gives entry to vital elements of the working system and permits the malware to terminate processes.

Safety researchers at cybersecurity firm Trellix just lately found a brand new assault that leverages the bring-your-own-vulnerable-driver (BYOVD) strategy with an previous model of the anti-rootkit driver to cease safety merchandise on a focused system.

They clarify {that a} piece a bit of malware with the file identify kill-floor.exe drops the weak driver with the file identify ntfs.bin within the default Home windows consumer folder. Subsequent, the malware creates the service ‘aswArPot.sys’ utilizing the Service Management (sc.exe) and registers the motive force.

Attack chain
Assault chain
Supply: Trellix

The malware then makes use of a hardcoded record of 142 processes related to safety instruments and checks it in opposition to a number of snapshots of lively processes on the system.

Trellix researcher Trishaan Kalra says that when it finds a match, “the malware creates a handle to reference the installed Avast driver.”

It then leverages the ‘DeviceIoControl’ API to concern the required IOCTL instructions to terminate it.

List of targeted products
Record of focused processes
Supply: Trellix

 

As seen within the screenshot above, the malware targets processes from varied safety options, together with these from McAfee, Symantec (Broadcom), Sophos, Avast, Development Micro, Microsoft Defender, SentinelOne, ESET, and BlackBerry.

With defenses deactivated, the malware can carry out malicious actions with out triggering alerts to the consumer or getting blocked.

Terminating security processes
Record of focused processes
Supply: Trellix

It’s price noting that the motive force and related procedures had been noticed in early 2022 by researchers at Development Micro whereas investigating an AvosLocker ransomware assault.

In December 2021, the Stroz Friedberg’s Incident Response Companies group discovered that Cuba ransomware utilized in assaults a script that abused a operate in Avast’s Anti-Rootkit kernel driver to kill safety options on sufferer’s methods.

Across the identical time, researchers at SentinelLabs found found two high-severity flaws (CVE-2022-26522 and CVE-2022-26523) that had been current since 2016, which might be exploited “to escalate privileges enabling them to disable security products.”

The 2 points had been reported to Avast in December 2021 and the corporate addressed them silently with safety updates.

Defending in opposition to assaults that depend on weak drivers is feasible through the use of guidelines that may determine and block parts based mostly on their signatures or hashes, reminiscent of this one that Trellix recommends.

Microsoft additionally has options, such because the weak driver blocklist coverage file, which is up to date with each main Home windows launch. Beginning Home windows 11 2022, the record is lively by default on all gadgets. The newest model of the record is feasible by way of App Management for Enterprise.

Recent articles

Postman Workspaces Leak 30000 API Keys and Delicate Tokens

SUMMARY 30,000 Public Workspaces Uncovered: CloudSEK identifies large information leaks...

What’s CRM? A Complete Information for Companies

Buyer relationship administration software program is a gross sales...