Dangerous New Malware Hijacks Legitimate Antivirus Drivers to Evade Detection

Dangerous New Malware Hijacks Legitimate Antivirus Drivers to Evade Detection

Here’s the enhanced and simplified version:

A New Cybersecurity Threat Using Legitimate Drivers

Security researchers at Trellix have identified a sophisticated cyber attack that exploits a technique called Bring Your Own Vulnerable Driver (BYOVD). This attack method is particularly dangerous as it uses legitimate software to bypass security systems.

Key Points:
– The malware uses a legitimate Avast Anti-Rootkit driver (aswArPot.sys) to infiltrate systems
– The attack begins with an executable file (kill-floor.exe) that installs the driver
– Once installed, the malware gains kernel-level access, allowing it to:
* Terminate 142 specific security-related processes
* Disable protective software
* Take control of the infected system

Technical Impact:
The attack is especially effective because kernel-mode drivers can override user-mode processes, effectively bypassing most antivirus and EDR (Endpoint Detection and Response) protection systems.

Current Status:
– The initial infection method remains unknown
– The scale and specific targets of these attacks are yet to be determined
– BYOVD attacks are becoming increasingly common in ransomware operations

This discovery follows a similar attack pattern identified by Elastic Security Labs in May, which also utilized the Avast driver to disable security processes.

The finding highlights the growing trend of cybercriminals using legitimate drivers as attack vectors, emphasizing the need for enhanced security measures against such sophisticated threats.

Share This Article