Cybersecurity researchers at Trellix have discovered that hackers have found a new way to disable antivirus programs on target systems through the use of a legitimate but old Avast driver. Attackers are exploiting a vulnerability that allows the driver to terminate processes at the kernel level.
According to the information, the attack uses the “bring your own vulnerable driver” (BYOVD) method. Attackers use an old version of the Avast anti-rootkit driver to stop various security products from working. The malware, known as AV Killer, installs a driver called ntfs.bin in the user’s default Windows folder.
After installing the driver, the malware creates the aswArPot.sys service using the Service Control utility (sc.exe). After this, the active processes of the system are checked against a pre-prepared list of 142 processes associated with antivirus applications. “When the virus finds a match, it independently creates an identifier to interact with the installed Avast driver“explains researcher Trishaan Kalra from Trellix.
Next, using the DeviceIoControl API, the malware sends the IOCTL commands necessary to terminate the target processes. Among the targets of the attack are antiviruses from leading companies such as McAfee, Symantec, Sophos and others. At the same time, the disabling method allows hackers to carry out malicious actions without notifying the user or blocking them from security systems.
It is worth noting that the method itself is relatively archaic. Similar cases were recorded at the beginning of 2022 when analyzing attacks using the AvosLocker ransomware.
In response to the discovered vulnerabilities, Avast released security updates for its driver, and Microsoft, to protect against such attacks, proposes to use a policy for blocking vulnerable drivers, which is actively updated with each major Windows release.
If you notice an error, select it with the mouse and press CTRL+ENTER.