Cybercriminals have launched a sophisticated campaign utilizing "bring-your-own-vulnerable-driver" (BYOVD) tactic involving a vulnerable Avast Anti-Rootkit driver used to disable security defenses on targeted systems, according to researchers from cybersecurity firm Trellix.
The malware, identified as a variant of an AV Killer, uses a vulnerable driver to gain kernel-level access to the operating system. Kernel access allows it to tamper with critical system components and disable security software. The campaign employs a malicious executable named kill-floor.exe, which drops the outdated Avast driver (disguised as ntfs.bin) into the default Windows user folder.
Once the driver is deployed, the malware registers it as a service named aswArPot.sys using the Service Control (sc.exe) utility. This step establishes full control over the target system, enabling the malware to terminate 142 security-related processes from a hardcoded list. The attack targets processes from numerous well-known security solutions such as McAfee, Symantec (Broadcom), Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, BlackBerry.
The malware first takes a snapshot of active processes on the system. It then compares each process name against its pre-defined list of targets. When a match is found, the malware uses the vulnerable Avast driver to issue IOCTL commands via the DeviceIoControl API, effectively terminating the processes.