Cybersecurity researchers at Trellix have recently unveiled a sophisticated malware campaign that cleverly exploits a legitimate antivirus driver, raising alarms within the industry. The malware, dubbed “kill-floor.exe,” utilizes the Avast Anti-Rootkit driver (aswArPot.sys) to gain kernel-level access, effectively circumventing established security protocols and seizing control of compromised systems. This alarming trend reflects the increasing prevalence of “Bring Your Own Vulnerable Driver” (BYOVD) attacks, where attackers manipulate trusted yet flawed drivers to facilitate malicious activities.
Infection Chain and Exploitation
The infection process initiates with the malware deploying the Avast Anti-Rootkit driver into a Windows directory, masquerading as a legitimate file named “ntfs.bin.” By leveraging the Service Control utility (sc.exe), the malware registers this driver as a service, thereby granting itself unrestricted kernel-level privileges. This elevated access enables the malware to terminate essential security processes, disable endpoint detection and response (EDR) solutions, and evade tamper protection mechanisms.
Once operational, the malware enters an infinite loop, vigilantly monitoring active processes on the system. It cross-references these processes against a hardcoded list of 142 security-related names. Upon identifying a match, the malware communicates with the Avast driver using the DeviceIoControl API and a specific IOCTL code (0x9988c094). This command instructs the driver to terminate the targeted security processes at the kernel level, effectively dismantling the system’s defenses.
Weaponizing Kernel Privileges
In a striking twist, the Avast Anti-Rootkit driver, originally intended to safeguard systems, becomes a tool for destruction within this campaign. By exploiting its kernel-mode capabilities, the malware bypasses user-mode restrictions and executes actions such as process termination through Windows kernel functions like KeAttachProcess and ZwTerminateProcess. This manipulation highlights the inherent risks associated with vulnerable drivers in BYOVD attacks.
To mitigate such threats, organizations are encouraged to implement robust BYOVD protection strategies. This includes deploying expert rules designed to detect and block vulnerable drivers based on their unique signatures or hashes. For instance, Trellix advocates for the integration of specific detection rules into EDR or antivirus solutions to prevent the execution of compromised drivers like aswArPot.sys.
These proactive measures can thwart attempts to establish persistence, elevate privileges, or disable security software through kernel-level exploits. Security teams should closely monitor key indicators linked to this campaign, which include two notable MD5 hashes:
- 40439f39f0195c9c7a3b519554afd17a (kill-floor.exe)
- a179c4093d05a3e1ee73f6ff07f994aa (ntfs.bin)
This discovery serves as a poignant reminder of how trusted components can be weaponized by adversaries, underscoring the critical need for proactive defense measures against advanced threats that leverage legitimate but vulnerable software components.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
