A harmful scheme has been unearthed wherein the malware utilizes a more sinister strategy, dropping the authentic Avast Anti-Rootkit driver (aswArPot.sys) to avoid detection.
The malicious software leverages the driver’s deep access to halt security processes, deactivate protective software, and seize control of the compromised system.
The Operational Mechanism of the Malware
The infection chain of the malware (kill-floor.exe) commences with a legitimate Avast Anti-Rootkit driver (aswArPot.sys). The legitimate kernel driver, “ntfs.bin,” is planted by the malware in the “C:UsersDefaultAppDataLocalMicrosoftWindows” directory.
“Instead of employing a specially crafted driver for its malicious operations, the malware utilizes a trusted kernel driver, which gives it a facade of legitimacy and allows it to dodge raising alerts while prepping to compromise the system,” stated researchers from Trellix Security researchers.
Subsequent to dropping the legitimate kernel driver, the malware establishes a service named “aswArPot.sys” using Service Control (sc.exe) to enlist the driver for ensuing operations.
Upon successful installation and operation of the driver, the malware gains kernel-level access to the system, empowering it to seize control and disable critical security functions.
At the kernel level, the aswArPot.sys driver essentially grants the malware unrestricted access to the most crucial segments of the operating system.
The names of popular antivirus and EDR programs’ processes are initially stored in several variables defined by the malware.
The malware contains a hardcoded list of 142 security process names, which include:
Following the retrieval of process details for each running process on the system, the malware compares each process name to the initially hardcoded list of process names.
If a process name matches, the malware generates a handle to reference the installed Avast driver. It then triggers the DeviceIoControl API after creating the handle to the Avast driver, transmitting the process ID and the ‘0x9988c094’ IOCTL code.
Since kernel-mode drivers have the ability to override user-mode processes, the Avast driver can easily circumvent the tamper protection mechanisms of many antivirus and EDR programs by terminating processes at the kernel level.
Recommendations
Implementing BYOVD (Bring Your Own Vulnerable Driver) security methods is a critical approach to safeguard systems from attacks leveraging vulnerable drivers like the Avast Anti-Rootkit driver.
BYOVD attacks acquire kernel-level access by exploiting legitimate yet vulnerable drivers, allowing malware to bypass security tools and halt essential processes.
By blocking these drivers, organizations can prevent malware from establishing persistence, escalating privileges, or disabling security features.
This strategy provides an essential defense layer against sophisticated driver-based attacks by ensuring that even legitimate drivers with vulnerabilities are effectively halted when integrated into an endpoint detection and response (EDR) or antivirus system.
The post Hackers Abuse Avast Anti-Rootkit driver To Evade Detection appeared first on Cyber Security News.