Hackers Use Legitimate Drivers to Kill Antivirus Processes and Lower The System’s Defenses
In a sophisticated campaign first observed in October 2024, attackers have begun leveraging a legitimate driver to disable antivirus software across compromised networks.
By abusing the ThrottleStop.sys driver—originally designed by TechPowerUp to manage CPU throttling—the malware gains kernel‐level memory access to terminate security processes at will.
Initial access is most often achieved through stolen RDP credentials or brute‐forced administrative accounts, allowing the adversary to deploy the AV killer alongside ransomware payloads such as MedusaLocker.
Securelist analysts noted that once inside the network, threat actors extract additional user credentials with tools like Mimikatz and move laterally using Pass-the-Hash techniques via Invoke-WMIExec.ps1 or Invoke-SMBExec.ps1.
Following lateral movement, the attacker uploads two core artifacts—ThrottleBlood.sys (the renamed vulnerable driver) and All.exe (the AV killer)—to user directories such as C:UsersAdministratorMusic
.
Windows Defender and other endpoint protection platforms initially contain the ransomware, but the AV killer swiftly terminates their processes, leaving systems defenseless.
The malware’s impact has been severe, particularly in industries with exposed RDP endpoints. Victims in Brazil, Ukraine, Kazakhstan, Belarus, and Russia have reported widespread encryption of critical data, with recovery efforts hampered by disabled defense mechanisms.
.webp)
Securelist researchers identified that traditional self‐defense features in Kaspersky products—such as memory process protection and registry change monitoring—effectively counter this AV killer, but many organizations remain reliant on less resilient solutions.
Infection Mechanism via Vulnerable Driver
At the heart of this AV killer lies the exploitation of two vulnerable IOCTL functions in the ThrottleStop.sys driver, which permit arbitrary physical memory reads and writes.
.webp)
After loading ThrottleBlood.sys through the Service Control Manager API, the malware invokes NtQuerySystemInformation
with the SystemModuleInformation
flag to enumerate loaded modules and locate the kernel base address.
Using a SuperFetch‐based translation library, it converts the virtual address of NtAddAtom
into a physical address.
// Example IOCTL invocation to write kernel memory
DeviceIoControl(hDevice,
0x8010002C, // Vulnerable WRITE_IOCTL
&payload,
payloadSize,
NULL,
0,
&bytesReturned,
NULL);
Once the physical address is derived, All.exe writes a tiny shellcode stub that jumps to arbitrary kernel functions like PsTerminateProcess
.
In a continuous loop, the malware enumerates processes with Process32FirstW
and Process32NextW
, matching each against a hardcoded list of antivirus executables—ranging from MsMpEng.exe
(Windows Defender) to ekrn.exe
(ESET).
Upon finding a match, it invokes PsLookupProcessById
to obtain a handle and then calls PsTerminateProcess
to kill the service.
.webp)
By restoring original kernel bytes after each execution, the AV killer avoids system crashes and evades detection.
This elegant combination of legitimate driver abuse and kernel‐level code injection underscores the urgent need for driver integrity monitoring and defense‐in‐depth strategies, including strict RDP policies, multi‐factor authentication, and routine vulnerability scanning.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link