Trellix researchers warn of malicious campaign that uses legitimate but outdated Avast Anti-Rootkit driver
Take action: This attack can come in many different forms, primarily through phishing or download of infected content, alternatively through vulnerable OS or browser. So as usual - the first barrier is user awareness not to open and download crap. Then keep your endpoint and browser patched. Finally, implement the driver blocklist to prevent the installation of the vulnerable Avast driver carried by the malware.
Learn More
Security researchers at Trellix have uncovered a new malicious campaign that exploits a legitimate but outdated Avast Anti-Rootkit driver to bypass security measures and compromise target systems.
The attack methodology involves malware identified as an AV Killer variant that operates by dropping a file named "kill-floor.exe." This malware deploys the vulnerable driver (ntfs.bin) in the default Windows user folder and establishes a service named 'aswArPot.sys' using the Service Control (sc.exe) to register the driver. The malware contains a comprehensive list of 142 security processes from various vendors that it targets for termination.
According to Trellix researcher Trishaan Kalra, the malware operates by creating a handle to reference the installed Avast driver once it identifies matching processes. It then utilizes the 'DeviceIoControl' API to execute IOCTL commands for process termination. The targeted security solutions include products from major vendors such as McAfee, Symantec (Broadcom), Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, and BlackBerry.
his isn't the first instance of such attacks. Similar techniques were observed in early 2022 during an AvosLocker ransomware attack investigated by Trend Micro. Un December 2021, Cuba ransomware operators were found using a script that exploited an Avast Anti-Rootkit kernel driver function to disable security solutions. During the same period, SentinelLabs identified two high-severity vulnerabilities:
- CVE-2022-26522 (CVSS score not disclosed)
- CVE-2022-26523 (CVSS score not disclosed)
These vulnerabilities, present since 2016, could be exploited for privilege escalation and security product disablement. Avast addressed these issues through silent security updates after they were reported in December 2021.
Mitigation Measures: Protection against such attacks is possible through several methods:
- Implementation of rules to identify and block components based on signatures or hashes, as recommended by Trellix
- Utilizing Microsoft's vulnerable driver blocklist policy file, which updates with major Windows releases
- On Windows 11 2022 and later versions, the blocklist is activated by default
- Latest version of the blocklist is available through App Control for Business
The exact number of affected systems and the financial impact of these attacks are not disclosed in public sources.
