November 23, 2024 at 04:12PM
A new malware campaign leverages an outdated Avast Anti-Rootkit driver to disable security components and evade detection. By targeting processes from various security vendors, the malware can operate undetected. Researchers recommend using signature-based rules and Microsoft’s vulnerable driver blocklist to mitigate such risks.
### Meeting Takeaways:
1. **Emerging Malware Threat**:
– A new malicious campaign is utilizing a vulnerable Avast Anti-Rootkit driver to circumvent security by disabling components on targeted systems.
2. **Malware Characteristics**:
– The malware variant, referred to as “AV Killer”, drops a driver identified as `ntfs.bin` and is launched via an executable named `kill-floor.exe`.
– This malware operates at the kernel level, granting it significant access and the ability to terminate security processes.
3. **Technical Mechanism**:
– The malware employs a “bring-your-own-vulnerable-driver” (BYOVD) method by using a hardcoded list of 142 security processes to target from various vendors, including McAfee, Symantec, and Microsoft Defender.
– It registers the Avast driver as a service named ‘aswArPot.sys’ and utilizes the ‘DeviceIoControl’ API to send commands to terminate security processes matching its list.
4. **Historical Context**:
– Similar techniques were observed in early 2022 during investigations into AvosLocker ransomware and previously noted by Stroz Friedberg in relation to Cuba ransomware in late 2021.
– Two significant vulnerabilities (CVE-2022-26522 and CVE-2022-26523) were identified in the Avast driver, allowing for privilege escalation and security product deactivation.
5. **Recommended Defenses**:
– Protection against such attacks can be enhanced by implementing rules to identify and block vulnerable components based on signatures or hashes.
– Microsoft has introduced a vulnerable driver blocklist policy in Windows 11, which is active by default, providing an additional layer of security.
6. **Research Insights**:
– Insights provided by Trellix researcher Trishaan Kalra indicate the critical nature of monitoring and updating security protocols to guard against evolving threats using legacy drivers.
### Action Items:
– Review current security protocols and ensure they are updated to block vulnerable drivers.
– Monitor and analyze potential incidents related to the identified malware and similar threats.
– Stay informed on the latest security patches and recommendations from cybersecurity communities.