Security researchers at cybersecurity firm Trellix have identified a sophisticated cyberattack utilising an outdated and vulnerable driver from Avast to bypass detection and disable security measures on targeted systems. The campaign employs a “bring-your-own-vulnerable-driver” (BYOVD) tactic, allowing attackers to exploit the Avast Anti-Rootkit driver (aswArPot.sys) to infiltrate devices and deactivate security tools.
The malicious software behind the attack, described as a variant of an antivirus killer tool, is not linked to any specific malware family. It includes a hardcoded list of 142 security processes from various vendors, which it targets to disable protections.
The outdated Avast driver operates at the kernel level, providing access to critical system components. This access enables the malware to terminate security processes and gain control of the infected system. Researchers uncovered the campaign, which uses a file named kill-floor.exe to deploy the vulnerable driver, identified as ntfs.bin, into the default Windows user directory.
Once installed, the malware registers the driver under the service name aswArPot.sys using Windows’ Service Control tool. It then scans active system processes, comparing them against its preloaded list of 142 security-related processes from vendors such as McAfee, Symantec, SentinelOne, ESET, Sophos, Avast, Trend Micro, Microsoft Defender, and BlackBerry.
When the malware identifies a matching process, it interacts with the Avast driver via the DeviceIoControl application programming interface (API), issuing IOCTL commands to terminate the process. With security defences disabled, the malware can carry out harmful activities undetected, taking snapshots of the actively running processes on the system.
Mitigating BYOVD attacks
The use of Avast’s Anti-Rootkit driver in such attacks is not new. In early 2022, researchers at Trend Micro linked similar techniques to AvosLocker ransomware. Around the same time, the Stroz Friedberg’s incident response services team said that incidents involving Cuba ransomware were found to exploit Avast’s driver to disable security tools.
Further analysis by SentinelLabs revealed two additional high-severity vulnerabilities, tracked as CVE-2022-26522 and CVE-2022-26523, in the Avast driver. These flaws, which date back to 2016, allow attackers to escalate privileges and disable security software. Avast addressed the issues through silent security updates following their disclosure.
Defending against attacks leveraging vulnerable drivers requires proactive measures. Trellix recommends using rules to identify and block malicious components based on their signatures or hashes. “For example, by utilising the BYOVD expert rule below, which detects and prevents the execution of compromised drivers, organisations can prevent malware from using these drivers to establish persistence, elevate privileges, or disable security measures,” stated Trellix. “Integrating this rule into an endpoint detection and response (EDR) or antivirus solution ensures that even legitimate drivers with vulnerabilities are effectively blocked, adding a crucial layer of protection against advanced driver-based attacks.”
Additionally, Microsoft’s Vulnerable Driver Blocklist, updated with major Windows releases, offers protection by default on devices running Windows 11 2022 and later. Businesses can also enhance security by employing App Control for Business to access the latest blocklist updates.