A sophisticated cyberattack targeting a Brazilian enterprise has unveiled a concerning trend in the ongoing arms race between cybercriminals and defenders. Attackers are now employing legitimate, digitally signed drivers to disable antivirus solutions and unleash destructive ransomware. This incident showcases the advanced tactics of cyber adversaries, who executed a Bring Your Own Vulnerable Driver (BYOVD) attack by exploiting the ThrottleStop.sys driver, initially designed for CPU performance optimization, to bypass security measures and deploy the notorious MedusaLocker ransomware.
The attackers began their operation by compromising an SMTP server using valid Remote Desktop Protocol (RDP) credentials. They then extracted additional user credentials with Mimikatz and moved laterally across the network utilizing pass-the-hash techniques. Their primary objective was to suppress any security tools that could hinder their operations. Various artifacts, including the AV killer program (“All.exe”) and the compromised driver (“ThrottleBlood.sys,” a renamed version of ThrottleStop.sys), were uploaded and executed. This sequence of actions first terminated standard antivirus processes, paving the way for the ransomware deployment.
Technical Analysis: Exploiting Kernel Mode with Trusted Drivers
The ThrottleStop.sys driver, intended for legitimate system monitoring, harbors a critical vulnerability (CVE-2025-7771) that permits any administrator to read and write physical memory through custom IOCTL calls. Once the attackers installed the driver, their AV killer program connected to this interface, gaining the ability to modify kernel-mode operations from user mode.
The malware systematically enumerated running processes, cross-referencing them with a hardcoded list of major antivirus vendors, including Microsoft Defender, Kaspersky, Symantec, and CrowdStrike. It forcibly terminated each security process using kernel-level commands. Windows’ built-in self-restoring features, such as those in Defender, proved ineffective, as the malware was designed to immediately kill any revived process.
At the core of this exploit lies a precise manipulation of memory. The attackers leveraged the driver’s primitives to locate and hijack kernel functions, injecting code to trigger process-killing routines. By utilizing undocumented Windows functions like NtQuerySystemInformation, the malware mapped out all loaded modules, determining how to interact directly with core kernel code.
Recommendations and Lessons Learned
This attack underscores the inadequacy of standalone antivirus tools and emphasizes the necessity for a layered security approach. Security experts advocate for implementing multi-factor authentication, hardening RDP access, segmenting networks, managing privileges aggressively, and deploying solutions with robust self-defense capabilities, as seen in modern security suites like Kaspersky’s, to counter such threats.
As BYOVD attacks become increasingly prevalent, organizations must refine their strategies to monitor the installation of vulnerable drivers and ensure comprehensive incident detection and response mechanisms are established. This recent incident serves as a stark reminder that trusted components can transform into formidable attack tools when wielded by malicious actors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
