Introduction

A nefarious new campaign is capitalizing on an outdated and vulnerable Avast Anti-Rootkit driver to disable crucial security defenses and gain control over targeted systems. This dangerous malware, identified as a variant of an AV Killer, targets a chilling list of 142 security processes from numerous vendors to evade detection.

Kernel-Level Access and Operation

The sinister nature of this malware lies in its ability to operate at the kernel level, which grants it unprecedented access to vital parts of the operating system. This allows it to ruthlessly terminate security processes, effectively disabling the very protections meant to keep users safe.

Discovery of BYOVD Technique

Recently, security experts at Trellix uncovered this alarming technique, known as bring-your-own-vulnerable-driver (BYOVD), which utilizes an outdated version of the anti-rootkit driver to stop security products on the systems it targets. Specifically, a piece of malware named "kill-floor.exe" deploys the vulnerable driver titled "ntfs.bin" into the standard Windows user folder.

Execution of the Attack

The malware then cross-references a hardcoded list of 142 security processes against a series of active processes in the system. Trellix researcher Trishaan Kalra explains that upon finding a match, “the malware creates a handle to reference the installed Avast driver.” It then utilizes the 'DeviceIoControl' API to issue necessary IOCTL commands that terminate these security processes.

Targeted Security Solutions

The attack doesn't discriminate; it targets a wide array of security solutions from leading companies, including McAfee, Symantec (Broadcom), Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, and BlackBerry. With these defenses deactivated, the malware can execute its malicious agenda freely, without arousing suspicion or being blocked by security measures.

Historical Context of the Attack

Interestingly, security researchers first noticed similar tactics as far back as 2022 when investigating an AvosLocker ransomware attack. Additionally, in late 2021, Stroz Friedberg’s Incident Response Services team discovered that Cuba ransomware exploited Avast's Anti-Rootkit driver to deactivate security solutions on affected systems.

Vulnerabilities in Avast's Driver

Furthermore, researchers at SentinelLabs uncovered two high-severity vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in Avast's driver, which had been lurking since 2016 and could be exploited to escalate privileges, thus allowing attackers to shut down security products. Although these issues were reported to Avast in December 2021, the company addressed them discreetly through security updates.

Protective Measures for Users

So, how can users protect themselves against these lurking threats? Utilizing robust security rules that can identify and block components based on their signatures or hashes is highly recommended. This proactive approach is critical in thwarting attacks that hinge on vulnerable drivers.

Conclusion

Stay informed and vigilant—your security could depend on it! Will you be the next victim, or will you take action now?