Security researchers at Trellix have discovered a sophisticated malware campaign leveraging an outdated Avast anti-rootkit driver to conduct widespread Bring Your Own Vulnerable Driver (BYOVD) attacks. The primary objective of these attacks is to systematically disable security mechanisms on targeted systems, potentially exposing organizations to subsequent cyber threats.
Technical Analysis of the Malware Operation
The identified malware represents a modified version of the AV Killer tool, engineered with an embedded database of 142 security-related processes. By exploiting the vulnerable Avast driver operating at the kernel level, the malware gains privileged access to critical system components, enabling it to terminate security processes with elevated permissions.
Attack Sequence and Execution Method
The attack vector initiates with the deployment of a kill-floor.exe component, which transfers the compromised driver (ntfs.bin) to the Windows system directory. The malware then proceeds to register the aswArPot.sys service through Service Control Manager and activates the driver. Following installation, it performs a systematic scan for security processes listed in its database, utilizing DeviceIoControl API to issue IOCTL commands for forced process termination.
Impact on Major Security Solutions
The attack campaign poses a significant threat to leading security vendors’ products, including McAfee, Symantec, Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, and BlackBerry. Successful deactivation of these security solutions creates a vulnerable environment where attackers can execute additional malicious activities without detection.
Historical Context and Vulnerability Timeline
This particular Avast driver has been previously exploited in various attack campaigns. Notable instances include its use by the AvosLocker ransomware in 2022 and the Cuba ransomware group in 2021. Security researchers at SentinelLabs identified two critical vulnerabilities (CVE-2022-26522 and CVE-2022-26523) that had existed since 2016, enabling privilege escalation and security isolation bypass. Avast addressed these vulnerabilities in December 2021 following responsible disclosure protocols.
This incident highlights the critical importance of maintaining robust software update practices and implementing comprehensive driver management policies. Organizations should conduct regular driver audits, implement strict version control measures, and maintain an up-to-date security patch management system to mitigate risks associated with legacy drivers. The persistence of such vulnerabilities in trusted software components emphasizes the need for continuous security monitoring and prompt response to emerging threats in the cybersecurity landscape.
