Hackers Exploit Avast Driver to Disable Security: Here’s a quick look at what to know.

Avast

Hackers Exploit Avast Driver to Disable Security: Here’s a quick look at what to know.

Hackers have found a new way to bypass security defenses by exploiting a vulnerable Avast Anti-Rootkit driver. This malicious campaign uses a legitimate but outdated driver to disable security components and take control of the target system. The malware, known as AV Killer, drops the vulnerable driver and uses it to terminate security processes from various vendors.

41397204425_38fca52fc6_b Hackers Exploit Avast Driver to Disable Security: Here's a quick look at what to know.

How the Exploit Works

The attack begins with a piece of malware named kill-floor.exe, which drops the vulnerable driver ntfs.bin into the default Windows user folder. The malware then creates a service called aswArPot.sys and registers the driver. Using a hardcoded list of 142 security process names, the malware checks active processes on the system and terminates any matches. This allows the malware to disable security products from companies like McAfee, Symantec, Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, and BlackBerry.

Consequences of the Attack

With the security defenses disabled, the malware can perform malicious activities without triggering alerts or getting blocked. This can lead to data theft, ransomware attacks, and other harmful actions. The attack leverages the bring-your-own-vulnerable-driver (BYOVD) approach, which has been observed in other malware campaigns.

Historical Context of Similar Incidents

This is not the first time Avast’s Anti-Rootkit driver has been exploited. In early 2022, Trend Micro researchers discovered similar procedures while investigating an AvosLocker ransomware attack. In December 2021, SentinelLabs found two high-severity flaws in the driver that could be exploited to disable security products. Avast addressed these issues with security updates.

Strategies to Protect Against Driver Exploits

To protect against attacks that rely on vulnerable drivers, organizations can use rules that identify, and block components based on their signatures or hashes. Microsoft offers solutions like the vulnerable driver blocklist policy file, which is updated with every major Windows release. Starting with Windows 11 2022, this list is active by default on all devices.

Conclusion and Takeaways

Hackers continue to find new ways to exploit vulnerabilities in legitimate software to bypass security defenses. It is crucial for organizations to stay vigilant and keep their systems updated with the latest security patches. By doing so, they can reduce the risk of falling victim to such attacks.


You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Post Comment