Key Points:
– A new malicious campaign has been discovered using an outdated Avast Anti-Rootkit driver to bypass security measures
– The malware, known as an AV Killer variant, targets 142 different security processes from major vendors
Technical Details:
– Attack Method:
* Drops a vulnerable driver (ntfs.bin) in the Windows user folder
* Creates service ‘aswArPot.sys’
* Uses kernel-level access to terminate security processes
* Targets major security vendors including McAfee, Symantec, Microsoft Defender, and others
Historical Context:
– Similar attacks were observed in:
* Early 2022 (AvosLocker ransomware)
* December 2021 (Cuba ransomware)
* Two high-severity flaws (CVE-2022-26522 and CVE-2022-26523) discovered by SentinelLabs
Protection Measures:
– Use signature/hash-based rules to block vulnerable drivers
– Enable Microsoft’s vulnerable driver blocklist policy
– Windows 11 2022 includes built-in protection by default
– Latest protection available through App Control for Business
This attack highlights the growing trend of malware using legitimate but vulnerable drivers to compromise system security.