### #BYOVD #MaliciousDrivers #TrellixResearch
Summary: The Trellix Advanced Research Center has identified a malicious campaign that exploits trusted security tools, specifically the Avast Anti-Rootkit driver, to compromise systems and disable security measures. This attack method, known as Bring Your Own Vulnerable Driver (BYOVD), poses significant challenges for current cybersecurity defenses.
Threat Actor: Unknown | Unknown
Victim: Avast | Avast
Key Point :
- The malware, named kill-floor.exe, disguises the Avast Anti-Rootkit driver as ntfs.bin to evade detection.
- Once deployed, it gains kernel-level access to terminate security processes, effectively disabling antivirus and EDR solutions.
- This attack method highlights the vulnerability of trusted drivers, necessitating the implementation of BYOVD-specific protection mechanisms.
- Trellix recommends integrating expert rules to detect and block vulnerable drivers based on unique signatures or hashes.
The Trellix Advanced Research Center has uncovered a malicious campaign that turns trusted security tools against their users. This campaign, detailed in their report, reveals how attackers exploited the Avast Anti-Rootkit driver, aswArPot.sys, to bypass defenses, terminate security processes, and seize control of systems.
“Instead of bypassing defenses, this malware takes a more sinister route,” the report explains. The attackers dropped the legitimate Avast Anti-Rootkit driver into the system, leveraging its kernel-level privileges to carry out their malicious activities. By disguising the driver as ntfs.bin in the system directory, the malware avoided detection and raised no immediate alarms.
Once deployed, the malware created a service using the command-line utility sc.exe. With the driver active, it gained unrestricted access to the operating system, enabling it to disable antivirus and endpoint detection and response (EDR) solutions.
The infection chain begins with the malware, named kill-floor.exe, dropping the Avast driver and registering it as a service. From there, the malware:
- Monitors Processes: It enters a loop to snapshot active processes on the system, comparing them against a hardcoded list of 142 well-known security processes.
- Weaponizes Drivers: Using the DeviceIoControl API and the 0x9988c094 IOCTL code, the malware commands the Avast driver to terminate targeted processes. “Kernel-mode drivers can override user-mode processes,” the report states, making it impossible for security software to resist these tampering attempts.
What makes this attack particularly insidious is its reliance on a legitimate security driver to do its dirty work. Kernel-mode drivers, designed to protect systems at the deepest levels, are now tools for destruction. “The Avast driver utilizes Windows kernel functions like KeAttachProcess and ZwTerminateProcess to terminate security processes on behalf of the malware,” the report notes.
This method of attack, known as Bring Your Own Vulnerable Driver (BYOVD), highlights a significant weakness in current defense mechanisms: the inability to differentiate between legitimate and malicious use of trusted drivers.
Trellix emphasizes the importance of BYOVD-specific protection mechanisms to counter such threats. By deploying expert rules to detect and block vulnerable drivers based on unique signatures or hashes, organizations can prevent their exploitation. Integrating these protections into endpoint detection and response solutions adds a crucial layer of defense.