Cybersecurity researchers at Trellix have discovered that hackers have found a new way to disable antivirus programs on target systems through the use of a legitimate but old Avast driver. Attackers are exploiting a vulnerability that allows the driver to terminate processes at the kernel level.
Image Source: Ed Hardie / Unsplash
According to the information, the attack uses the “bring your own vulnerable driver” (BYOVD) method. Attackers use an old version of the Avast anti-rootkit driver to stop various security products from working. The malware, known as AV Killer, installs a driver called ntfs.bin in the user’s default Windows folder.
Chain of attacks. Image source: Trellix
After installing the driver, the malware creates the aswArPot.sys service using the Service Control utility (sc.exe). After this, the active processes of the system are checked against a pre-prepared list of 142 processes associated with antivirus applications. “When the virus finds a match, it independently creates an identifier to interact with the installed Avast driver,” explains researcher Trishaan Kalra from Trellix.
List of processes. Image source: Trellix
Next, using the DeviceIoControl API, the malware sends IOCTL commands necessary to terminate the target processes. Among the targets of the attack are antiviruses from leading companies such as McAfee, Symantec, Sophos and others. At the same time, the disabling method allows hackers to carry out malicious actions without notifying the user or blocking them from security systems.
List of processes. Image source: Trellix
It is worth noting that the method itself is relatively archaic. Similar cases were recorded at the beginning of 2022 when analyzing attacks using the AvosLocker ransomware.
In response to the discovered vulnerabilities, Avast released security updates for its driver, and Microsoft, to protect against such attacks, offers to use a policy for blocking vulnerable drivers, which is actively updated with each major release of Windows.