Cybersecurity researchers have uncovered a brand new malicious marketing campaign that leverages a way known as Convey Your Personal Weak Driver (BYOVD) to disarm safety protections and finally achieve entry to the contaminated system.
“This malware takes a more sinister route: it drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda,” Trellix safety researcher Trishaan Kalra mentioned in an evaluation printed final week.
“The malware exploits the deep access provided by the driver to terminate security processes, disable protective software, and seize control of the infected system.”
The start line of the assault is an executable file (kill-floor.exe) that drops the official Avast Anti-Rootkit driver, which is subsequently registered as a service utilizing Service Management (sc.exe) to carry out its malicious actions.
As soon as the motive force is up and working, the malware positive aspects kernel-level entry to the system, permitting it to terminate a complete of 142 processes, together with these associated to safety software program, that might in any other case elevate an alarm.
That is achieved by taking snapshots of the actively working processes on the system and checking their names in opposition to the hard-coded listing of processes to kill.
“Since kernel-mode drivers can override user-mode processes, the Avast driver is able to terminate processes at the kernel level, effortlessly bypassing the tamper protection mechanisms of most antivirus and EDR solutions,” Kalra mentioned.
The precise preliminary entry vector used to drop the malware is at present not clear. It is also not identified how widespread these assaults are and who’re the targets.
That mentioned, BYOVD assaults have grow to be an more and more frequent technique adopted by menace actors to deploy ransomware in recent times, as they reuse signed however flawed drivers to bypass safety controls.
Earlier this Might, Elastic Safety Labs revealed particulars of a GHOSTENGINE malware marketing campaign that took benefit of the Avast driver to show off safety processes.
