A recently discovered campaign of cyberattacks makes use of a vulnerable Avast Anti-Rootkit driver to disable system security mechanisms and gain full control over target machines. With this, hackers can successfully avoid detection by security tools and thus pose a severe threat to users and organizations.
Exploiting a Vulnerable Driver
It is leveraging the so-called "bring-your-own-vulnerable-driver" (BYOVD) technique, where an old version of Avast's Anti-Rootkit driver is used. This kernel-mode driver allows hackers to gain access to essential parts of the system and also disable security defenses. The discovery was made by Trellix cybersecurity researchers.
The malware launching the attack, which is described as a variant of an AV Killer, drops a driver named ntfs.bin in the Windows user folder. It subsequently creates a service named aswArPot.sys using the Service Control tool (sc.exe) for registration and activation of the vulnerable driver.
Targeting Security Processes
After installing the driver, the malware scans the system based on a hardcoded list of 142 processes associated with popular security tools. Such a list includes software from major vendors like McAfee, Sophos, Trend Micro, Microsoft Defender, and ESET. If it finds a match, the malware issues commands to the driver to terminate such security processes, thus effectively disabling system defenses.
Track of Previous Attacks
This abuse technique of the Avast driver has been seen in past attacks. In 2021, researchers found the same driver being used by Cuba ransomware to enable security tools disabling on victim systems. Trend Micro had discovered this technique while studying AvosLocker ransomware in early 2022.
Adding to the risks, SentinelLabs identified two severe vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in the Avast Anti-Rootkit driver. These flaws, present since 2016, allowed attackers to escalate privileges and disable security measures. Avast addressed these vulnerabilities in 2021 through security updates, but outdated versions of the driver remain exploitable.
What Should One Do?
To protect against such attacks, security professionals advise that blocking rules based on the digital signatures or hashes of malicious components should be in place. To this end, Microsoft also provides solutions, such as the vulnerable driver blocklist policy, which is enabled automatically on Windows 11 2022 and later devices. Organizations can further bolster protection by using Microsoft's App Control for Business to ensure systems are protected from driver-based exploits.
This campaign is a persistent threat in which the outdated drivers pose the risks, and proactive security measures are emphasized to fight advanced cyberattacks.
