Cybersecurity researchers have uncovered a brand new malicious marketing campaign that leverages a method referred to as Convey Your Personal Susceptible Driver (BYOVD) to disarm safety protections and finally achieve entry to the contaminated system.
“This malware takes a extra sinister route: it drops a authentic Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to hold out its harmful agenda,” Trellix safety researcher Trishaan Kalra stated in an evaluation revealed final week.
“The malware exploits the deep entry supplied by the driving force to terminate safety processes, disable protecting software program, and seize management of the contaminated system.”
The place to begin of the assault is an executable file (kill-floor.exe) that drops the authentic Avast Anti-Rootkit driver, which is subsequently registered as a service utilizing Service Management (sc.exe) to carry out its malicious actions.
As soon as the driving force is up and working, the malware features kernel-level entry to the system, permitting it to terminate a complete of 142 processes, together with these associated to safety software program, that might in any other case increase an alarm.
That is completed by taking snapshots of the actively working processes on the system and checking their names in opposition to the hard-coded record of processes to kill.
“Since kernel-mode drivers can override user-mode processes, the Avast driver is ready to terminate processes on the kernel stage, effortlessly bypassing the tamper safety mechanisms of most antivirus and EDR options,” Kalra stated.
The precise preliminary entry vector used to drop the malware is at present not clear. It is also not recognized how widespread these assaults are and who’re the targets.
That stated, BYOVD assaults have grow to be an more and more widespread methodology adopted by menace actors to deploy ransomware lately, as they reuse signed however flawed drivers to bypass safety controls.
Earlier this Could, Elastic Safety Labs revealed particulars of a GHOSTENGINE malware marketing campaign that took benefit of the Avast driver to show off safety processes.