Hackers Exploit Legitimate Drivers to Disable Antivirus and Weaken System Defenses

Threat actors have been deploying a novel antivirus (AV) killer since at least October 2024, leveraging the legitimate ThrottleStop.sys driver to execute Bring Your Own Vulnerable Driver (BYOVD) tactics.

This malware, detected by Kaspersky as Win64.KillAV., systematically terminates AV processes, paving the way for ransomware deployment like the MedusaLocker variant (Trojan-Ransom.Win32.PaidMeme.).

The incident began with adversaries gaining initial access to an SMTP server via valid RDP credentials from Belgium, exploiting weak password policies and exposed remote access.

Attack Chain

Using Mimikatz, attackers extracted NTLM hashes and conducted lateral movement through pass-the-hash techniques with PowerShell tools such as Invoke-WMIExec.ps1 and Invoke-SMBExec.ps1.

These scripts facilitated the creation of sequential user accounts (e.g., User1, User2) with uniform passwords, added to administrative groups across network endpoints.

Artifacts, including the AV killer (All.exe) and ransomware (haz8.exe), were staged in directories like C:UsersAdministratorMusic on the mail server and later propagated to C:UsersUserNPictures on compromised machines.

Initially, Windows Defender quarantined the ransomware on some systems, but the attackers swiftly disabled it using the BYOVD method, enabling unchecked encryption.

This chain underscores vulnerabilities in defense-in-depth strategies, where even deployed AV solutions falter against undetected drivers bypassing protections.

Kaspersky’s Endpoint Security, however, resisted such tampering through robust self-defense mechanisms that safeguard memory processes, registry entries, and files.

Technical Analysis of the AV Killer

The AV killer comprises ThrottleBlood.sys a renamed, legitimately signed ThrottleStop.sys driver (CVE-2025-7771) and All.exe, which exploits the driver’s vulnerabilities for kernel-level manipulation.

Signed in 2020 by TechPowerUp LLC with a DigiCert certificate, the driver creates a device at .ThrottleStop, exposing IOCTL handlers for arbitrary physical memory reads and writes via MmMapIoSpace.

All.exe, with administrative privileges, loads the driver using Service Control Manager APIs like OpenSCManagerA and StartServiceW, then retrieves the kernel base address via NtQuerySystemInformation with SystemModuleInformation.

Employing the SuperFetch technique from an open-source library, it translates virtual addresses to physical ones using SystemSuperfetchInformation queries.

According to the report, The malware hijacks the NtAddAtom syscall by injecting shellcode that overwrites its kernel code, allowing indirect invocation of functions like PsLookupProcessById and PsTerminateProcess to kill targeted AV processes.

Hardcoded strings in All.exe list processes from major vendors, including AvastSvc.exe (Avast), MsMpEng.exe (Microsoft), avp.exe (Kaspersky), and others from Bitdefender, CrowdStrike, ESET, McAfee, Symantec, and Sophos.

Upon detection via Process32FirstW and Process32NextW, matching processes are terminated in a loop, countering restarts like Defender’s.

This kernel code injection restores original code post-execution to avoid crashes, demonstrating advanced evasion.

Victims span Russia, Belarus, Kazakhstan, Ukraine, and Brazil, with ties to ransomware groups.

Mitigation involves application whitelisting, network segmentation, MFA, patching, EDR monitoring, and self-defense in AV products.

TTPs include process discovery (T1057), impairing defenses (T1562.001/006), service creation (T1543.003), and service stop (T1489). A YARA rule detects the threat by matching PE imports, strings like “ntoskrnl.exe” and “NtAddAtom”, and IOCTL codes.

Indicators of Compromise (IoC)

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free