A recent discovery has unveiled a malicious campaign that employs an insidious strategy, utilizing the legitimate Avast Anti-Rootkit driver (aswArPot.sys) to evade detection. This malware cleverly exploits the driver’s extensive access capabilities to halt security processes, disable protective software, and seize control of compromised systems.
How The Malware Operates?
The infection chain begins with the malware, identified as kill-floor.exe, which drops the legitimate kernel driver, “ntfs.bin,” into the directory “C:UsersDefaultAppDataLocalMicrosoftWindows.”
According to Trellix Security researchers, “Instead of using a specially crafted driver to perform its malicious activities, the malware uses a trusted kernel driver, giving it an air of legitimacy and allowing it to avoid raising alarms while preparing to undermine the system’s defense.”
Once the legitimate kernel driver is in place, the malware creates a service named “aswArPot.sys” using Service Control (sc.exe) to register the driver for future operations. With the driver installed and functioning, the malware gains kernel-level access to the system, effectively allowing it to take control and disable critical security functions.
At this kernel level, the aswArPot.sys driver provides the malware with unrestricted access to the most vital components of the operating system. The malware first catalogues the process names of popular antivirus and EDR programs, storing them in a series of predefined variables.
The malware contains a hardcoded list of 142 security process names, which it uses to match against the processes currently running on the system. Upon identifying a match, the malware generates a handle to reference the installed Avast driver. It then invokes the DeviceIoControl API, passing the process ID along with the ‘0x9988c094’ IOCTL code.
This method allows the Avast driver to bypass the tamper protection features of most antivirus and EDR programs, as kernel-mode drivers possess the capability to override user-mode processes.
Recommendations
To safeguard systems against such attacks that exploit vulnerable drivers, implementing BYOVD (Bring Your Own Vulnerable Driver) security techniques is essential. BYOVD attacks gain kernel-level access by leveraging legitimate yet susceptible drivers, enabling malware to circumvent security software and disable critical processes.
Organizations can mitigate these risks by blocking these vulnerable drivers, thereby preventing malware from establishing persistence, elevating privileges, or disabling security features. This proactive measure adds a crucial layer of defense against sophisticated driver-based attacks, ensuring that even legitimate drivers with known vulnerabilities are effectively blocked when integrated into endpoint detection and response (EDR) or antivirus solutions.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals: Get up to 3 Free Licenses.
