Hackers Exploit Legitimate Drivers to Disable Antivirus and Weaken System Defenses

Hackers Exploit Legitimate Drivers to Disable Antivirus and Weaken System Defenses

Threat actors have been deploying a novel antivirus (AV) killer since at least October 2024, leveraging the legitimate ThrottleStop.sys driver to execute Bring Your Own Vulnerable Driver (BYOVD) tactics.

This malware, detected by Kaspersky as Win64.KillAV., systematically terminates AV processes, paving the way for ransomware deployment like the MedusaLocker variant (Trojan-Ransom.Win32.PaidMeme.).

The incident began with adversaries gaining initial access to an SMTP server via valid RDP credentials from Belgium, exploiting weak password policies and exposed remote access.

Attack Chain

Using Mimikatz, attackers extracted NTLM hashes and conducted lateral movement through pass-the-hash techniques with PowerShell tools such as Invoke-WMIExec.ps1 and Invoke-SMBExec.ps1.

Incident flow

These scripts facilitated the creation of sequential user accounts (e.g., User1, User2) with uniform passwords, added to administrative groups across network endpoints.

Artifacts, including the AV killer (All.exe) and ransomware (haz8.exe), were staged in directories like C:UsersAdministratorMusic on the mail server and later propagated to C:UsersUserNPictures on compromised machines.

Initially, Windows Defender quarantined the ransomware on some systems, but the attackers swiftly disabled it using the BYOVD method, enabling unchecked encryption.

This chain underscores vulnerabilities in defense-in-depth strategies, where even deployed AV solutions falter against undetected drivers bypassing protections.

Kaspersky’s Endpoint Security, however, resisted such tampering through robust self-defense mechanisms that safeguard memory processes, registry entries, and files.

Technical Analysis of the AV Killer

The AV killer comprises ThrottleBlood.sys a renamed, legitimately signed ThrottleStop.sys driver (CVE-2025-7771) and All.exe, which exploits the driver’s vulnerabilities for kernel-level manipulation.

Antivirus
AV names inside the binary

Signed in 2020 by TechPowerUp LLC with a DigiCert certificate, the driver creates a device at .ThrottleStop, exposing IOCTL handlers for arbitrary physical memory reads and writes via MmMapIoSpace.

All.exe, with administrative privileges, loads the driver using Service Control Manager APIs like OpenSCManagerA and StartServiceW, then retrieves the kernel base address via NtQuerySystemInformation with SystemModuleInformation.

Employing the SuperFetch technique from an open-source library, it translates virtual addresses to physical ones using SystemSuperfetchInformation queries.

According to the report, The malware hijacks the NtAddAtom syscall by injecting shellcode that overwrites its kernel code, allowing indirect invocation of functions like PsLookupProcessById and PsTerminateProcess to kill targeted AV processes.

Hardcoded strings in All.exe list processes from major vendors, including AvastSvc.exe (Avast), MsMpEng.exe (Microsoft), avp.exe (Kaspersky), and others from Bitdefender, CrowdStrike, ESET, McAfee, Symantec, and Sophos.

Upon detection via Process32FirstW and Process32NextW, matching processes are terminated in a loop, countering restarts like Defender’s.

This kernel code injection restores original code post-execution to avoid crashes, demonstrating advanced evasion.

Victims span Russia, Belarus, Kazakhstan, Ukraine, and Brazil, with ties to ransomware groups.

Mitigation involves application whitelisting, network segmentation, MFA, patching, EDR monitoring, and self-defense in AV products.

TTPs include process discovery (T1057), impairing defenses (T1562.001/006), service creation (T1543.003), and service stop (T1489). A YARA rule detects the threat by matching PE imports, strings like “ntoskrnl.exe” and “NtAddAtom”, and IOCTL codes.

Indicators of Compromise (IoC)

Artifact SHA-1 Hash
Vulnerable ThrottleBlood.sys driver 82ed942a52cdcf120a8919730e00ba37619661a3
haz8.exe (MedusaLocker) f02daf614109f39babdcb6f8841dd6981e929d70
All.exe (AV killer) c0979ec20b87084317d1bfa50405f7149c3b5c5f
Other AV killer variants eff7919d5de737d9a64f7528e86e3666051a49aa
0a15be464a603b1eebc61744dc60510ce169e135
d5a050c73346f01fc9ad767d345ed36c221baac2
987834891cea821bcd3ce1f6d3e549282d38b8d3
86a2a93a31e0151888c52dbbc8e33a7a3f4357db
dcaed7526cda644a23da542d01017d48d97c9533

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free


Source link