25 November 2024

Hackers exploit Avast anti-rootkit driver to evade detection and disable security


Hackers exploit Avast anti-rootkit driver to evade detection and disable security

Cybercriminals have launched a sophisticated campaign utilizing "bring-your-own-vulnerable-driver" (BYOVD) tactic involving a vulnerable Avast Anti-Rootkit driver used to disable security defenses on targeted systems, according to researchers from cybersecurity firm Trellix.

The malware, identified as a variant of an AV Killer, uses a vulnerable driver to gain kernel-level access to the operating system. Kernel access allows it to tamper with critical system components and disable security software. The campaign employs a malicious executable named kill-floor.exe, which drops the outdated Avast driver (disguised as ntfs.bin) into the default Windows user folder.

Once the driver is deployed, the malware registers it as a service named aswArPot.sys using the Service Control (sc.exe) utility. This step establishes full control over the target system, enabling the malware to terminate 142 security-related processes from a hardcoded list. The attack targets processes from numerous well-known security solutions such as  McAfee, Symantec (Broadcom), Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, BlackBerry.

The malware first takes a snapshot of active processes on the system. It then compares each process name against its pre-defined list of targets. When a match is found, the malware uses the vulnerable Avast driver to issue IOCTL commands via the DeviceIoControl API, effectively terminating the processes.


Back to the list

Latest Posts

Cyber Security Week in Review: December 6, 2024

Cyber Security Week in Review: December 6, 2024

In brief: Zero-day vulnerabilities in I-O data routers, Russian Turla hijacks C2 infrastructure of Pakistani hackers, and more.
6 December 2024
Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

The group has infiltrated the C2 infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics.
5 December 2024
Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

If exploited, the flaws allow attackers to alter device settings, execute arbitrary commands, and disable the firewall.
5 December 2024