marry 26.11.2024, 12:00 PM
Cyber security researchers from the firm Trellix discovered a new attack that uses a technique known as Bring Your Own Vulnerable Driver (BYOVD) to disable antivirus protection and gain access to the system. The malware uses the legitimate but old Avast Anti-Rootkit driver (asvArPot.sys) and manipulates it to perform its destructive task.
It is a malware that is a variant of AV Killer, which has a coded list of 142 processes associated with security tools from different manufacturers, which it uses to check active processes on the system. Because the driver can operate at the kernel level, it gives malware access to critical parts of the operating system and allows it to terminate processes, including those related to security software, that might otherwise alert or block system infection.
The attack starts with the malware part, the file kill-floor.exe, dropping the vulnerable Avast Anti-Rootkit driver (ntfs.bin) into the default Windows user folder. The malware then creates the aswArPot.sys service using Service Control (sc.exe) and registers the driver.
“Because kernel-mode drivers can replace user-mode processes, the Avast driver is able to terminate processes at the kernel level, effortlessly bypassing the tamper protection mechanisms of most antivirus and EDR solutions,” the researchers said.
The malware disrupts the processes of various security solutions, including software from McAfee, Symantec, Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET and BlackBerry.
The initial entry vector used for infection is currently unclear. It is also unknown how widespread these attacks are and who the targets are.
BYOVD attacks have become more and more common, and in the last few years this method of attack has been mostly used by ransomware groups.
Photo: Werner Moser | Pixabay
Source: www.informacija.rs
