November 28, 2024
By Cybervergent Team

Driver’s License to Kill: Malware Hijacks Avast Anti-Rootkit for Kernel-Level Carnage

What happens when the bodyguard becomes the assassin? In a chilling twist, a new malware campaign flips the script, hijacking Avast’s trusted Anti-Rootkit driver (aswArPot.sys) to wreak havoc. This Bring Your Own Vulnerable Driver (BYOVD) attack takes kernel-level access to new lows—disabling security software, eliminating antivirus processes, and putting your system in a stranglehold.

This isn’t just a malware attack; it’s a high-stakes heist where the trusted becomes treacherous. Read on as we break down the dirty deeds and arm you with the tools to fight back.

The Killer Chain Reaction

It starts innocently enough—or so it seems. The malware (kill-floor.exe)sneaks in, dropping a legitimate Avast driver (aswArPot.sys) disguised as ntfs.bin in: C:\Users\Default\AppData\Local\Microsoft\Windows.

Here’s how it unravels:

  1. Step One: Build the Weapon
       
    • Using sc.exe, the malware creates a service to load the Avast driver.
      •  
    • Boom: it now has full kernel-level access.
    2.  
  2. Step Two: Name, Shame, and Slay
       
    • With 142 hardcoded targets on its kill list, the malware hunts down security processes like a methodical assassin.
      •  
    • It snaps a photo of every running process, then compares it to its hit list.
    3.  
  3. Step Three: Execute     the Kill Order
       
    • Using the DeviceIoControl API, the malware whispers an IOCTL code (0x9988c094) to the driver.
      •  
    • Kernel-level      functions like ZwTerminateProcess do the dirty work, terminating security software and leaving the system defenseless.

How to Stay One Step Ahead

Bring Your Own Vulnerable Driver attacks are as sneaky as they are devastating. Here’s how to flip the script:

  1. Deploy BYOVD Bouncers Use expert rules to block sketchy drivers
  2. Upgrade Your Driver Club Standards
       
    • Enforce strict driver signature policies. If it’s not signed and sealed, it’s not running.
      •  
    • Regularly patch and update drivers to close known loopholes.
    3.  
  3. Kernel Armor: Harden the Core
       
    • Monitor kernel-level activities with behavioral analytics tools.
      •  
    • Use zero-trust principles to limit driver permissions to “just enough.”
    4.  
  4. Watch the Usual  Suspect Directories

The directory C:\Users\Default\AppData\Local\Microsoft\Windows is the malware’s hideout. Keep an eye on it like your life depends on it—because it might.

Tags
#
RANSOMEWARE
#
CyberThreat
#
cybercrime
#
cyberextortion

Related articles

November 28, 2024
Elevating Security: Implementing Privileged Access Management (PAM)

by Cybervergent Team

November 28, 2024
Driver’s License to Kill: Malware Hijacks Avast Anti-Rootkit for Kernel-Level Carnage

by Cybervergent Team

November 28, 2024
Operation Serengeti—A Unified Stand Against African Cybercrime

by Cybervergent Team

Nigeria
212/214 Herbert Macaulay Way, Yaba, Lagos, Nigeria
Ghana
39 Kofi Annan Street, Airport Residential Area, Accra Ghana
USA
4320 Stevens Creek Boulevard Ste 175 San Jose CA 95129 United States
Nigeria Address
Ghana Address
US Address
English

Company

Resources

Platform

Solutions

Privacy PolicyQuality PolicyInfosec PolicyEmail PolicyTerms of UseDisclaimerCookies
© Copyright 2024. All rights reserved