November 25, 2024 at 04:24AM
Researchers have identified a new malware campaign utilizing the Bring Your Own Vulnerable Driver (BYOVD) technique. This malware exploits a legitimate Avast Anti-Rootkit driver to disable security measures and gain kernel-level access, terminating 142 processes. The initial access vector and the scale of these attacks remain unknown.
**Meeting Takeaways: Cybersecurity Update on BYOVD Malware Campaign**
**Date:** November 25, 2024
**Presented By:** Ravie Lakshmanan, Trellix Security Researcher Trishaan Kalra
**Key Points:**
1. **Introduction of BYOVD Technique:**
– A new malicious campaign uses the Bring Your Own Vulnerable Driver (BYOVD) technique to breach system security.
2. **Method of Attack:**
– The malware drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and utilizes it to disable security measures.
– Initial malware deployment is through an executable file (kill-floor.exe).
3. **Impact of the Malware:**
– Once installed, the driver gains kernel-level access, allowing it to terminate security processes and control the system.
– The malware can kill up to 142 processes, including those related to antivirus and EDR solutions, by comparing active processes against a pre-defined list.
4. **Challenges in Detection:**
– Kernel-mode drivers can bypass user-mode protections, making detection and response difficult for existing antivirus systems.
5. **Current Knowledge Gaps:**
– The exact vectors for initial access and the scope of the attacks remain unclear.
– Target demographics and the extent of the BYOVD attack incidents are still under investigation.
6. **Increasing Trend of BYOVD Attacks:**
– This method has become increasingly popular for deploying ransomware and other malicious activities in recent years.
7. **Previous Incidents:**
– Reference to the GHOSTENGINE malware campaign earlier in the year, which leveraged the same Avast driver to disable security processes.
**Next Steps:**
– Continue monitoring for updates on the BYOVD campaign and potential defensive measures.
– Consider enhancing detection methodologies against kernel-level exploits and malicious driver usages.
**Follow Up:**
– For more information, follow on Twitter and LinkedIn for exclusive content updates.