A malicious campaign has been discovered in which the malware employs a more nefarious tactic, dropping the legitimate Avast Anti-Rootkit driver (aswArPot.sys) to evade detection.
The malware takes advantage of the driver’s deep access to stop security processes, turn off protective software, and take over the compromised system.
How The Malware Operates?
The malware’s (kill-floor.exe) infection chain starts with a legitimate Avast Anti-Rootkit driver (aswArPot.sys). The legitimate kernel driver, “ntfs.bin,” is dropped by the malware at “C:UsersDefaultAppDataLocalMicrosoftWindows.” directory.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
“Instead of using a specially crafted driver to perform its malicious activities, the malware uses a trusted kernel driver, giving it an air of legitimacy and allowing it to avoid raising alarms while preparing to undermine the system’s defense”, Trellix Security researchers.
After dropping the legitimate kernel driver, the malware creates a service called “aswArPot.sys” using Service Control (sc.exe) to register the driver for subsequent operations.
Once the driver is installed and operational, the malware obtains kernel-level access to the system, enabling it to take over the system and stop critical security functions.
At the kernel level, the aswArPot.sys driver essentially gives the malware unrestricted access to the most critical parts of the operating system.
The process names of popular antivirus and EDR programs are first stored in a number of variables defined by the malware.
The list of 142 hardcoded security process names found in the malware is as follows:
After retrieving the process details of every process running on the system, the malware matches each process name to the list of process names that were first hardcoded.
The malware generates a handle to refer to the installed Avast driver if the process name matches.The malware invokes the DeviceIoControl API after creating the handle to the Avast driver, passing the process ID and the ‘0x9988c094’ IOCTL code.
The Avast driver may easily bypass the tamper protection features of the majority of antivirus and EDR programs by terminating processes at the kernel level since kernel-mode drivers have the ability to override user-mode processes.
Recommendations
Using BYOVD (Bring Your Own susceptible Driver) security techniques is a crucial way to protect systems from attacks that make use of drivers that are susceptible, like the Avast Anti-Rootkit driver.
BYOVD attacks obtain kernel-level access by taking advantage of legitimate but vulnerable drivers. This enables malware to bypass security software and stop important processes.
By blocking these drivers, organizations can stop malware from establishing persistence, elevating privileges, or turning off security features.
This rule adds a vital layer of defense against sophisticated driver-based attacks by ensuring that even legitimate drivers with vulnerabilities are successfully stopped when integrated into an endpoint detection and response (EDR) or antivirus program.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.