Cybersecurity researchers have uncovered a brand new malicious marketing campaign that leverages a method referred to as Convey Your Personal Susceptible Driver (BYOVD) to disarm safety protections and in the end acquire entry to the contaminated system.
“This malware takes a extra sinister route: it drops a official Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to hold out its harmful agenda,” Trellix safety researcher Trishaan Kalra stated in an evaluation printed final week.
“The malware exploits the deep entry offered by the motive force to terminate safety processes, disable protecting software program, and seize management of the contaminated system.”
The place to begin of the assault is an executable file (kill-floor.exe) that drops the official Avast Anti-Rootkit driver, which is subsequently registered as a service utilizing Service Management (sc.exe) to carry out its malicious actions.
As soon as the motive force is up and operating, the malware positive aspects kernel-level entry to the system, permitting it to terminate a complete of 142 processes, together with these associated to safety software program, that would in any other case increase an alarm.
That is achieved by taking snapshots of the actively operating processes on the system and checking their names in opposition to the hard-coded record of processes to kill.
“Since kernel-mode drivers can override user-mode processes, the Avast driver is ready to terminate processes on the kernel degree, effortlessly bypassing the tamper safety mechanisms of most antivirus and EDR options,” Kalra stated.
The precise preliminary entry vector used to drop the malware is presently not clear. It is also not identified how widespread these assaults are and who’re the targets.
That stated, BYOVD assaults have grow to be an more and more widespread technique adopted by menace actors to deploy ransomware lately, as they reuse signed however flawed drivers to bypass safety controls.
Earlier this Could, Elastic Safety Labs revealed particulars of a GHOSTENGINE malware marketing campaign that took benefit of the Avast driver to show off safety processes.
