Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections
Summary:
Trellix researchers have discovered a new threat campaign that leverages the Bring Your Own Vulnerable Driver (BYOVD) technique to disarm security protections and perform operations on the infected system. The notable aspect of this campaign is the attacker’s utilization of a legitimate Avast Anti-Rootkit driver to carry out the attack. The malware leverages the deep access provided by the driver to terminate security processes and disable anti-virus software allowing the threat actor to seize control of the system. The malware’s (kill-floor.exe) infection chain begins by begins by dropping a legitimate Avast Anti-Rootkit driver (aswArPot.sys). Instead of using a custom driver to perform its malicious activities, the malware uses a trusted kernel driver, allowing it to avoid being flagged as malicious as it prepares to undermine system defenses. With the driver installed, the malware achieves kernel-level access and terminates critical security processes to successfully gain control. To terminate any security processes detrimental to the attack’s success, the malware takes snapshots of the system’s active processes and retrieves all of the process information to then compare to a hardcoded list of process names. The adversary then employs the Avast kernel-mode driver to terminate matching user-mode processes and gain control of the victim’s machine.
Security Officer Comments:
The use of legitimate drivers in this campaign highlights a growing trend in the abuse of legitimate software and services to perpetrate cybercriminal attacks. The attacker’s corruption of the kernel-mode driver capitalizes on the reputation of and trust in drivers that are designed to protect the system, potentially assisting in achieving initial access. The adversary weaponizing their kernel privileges is a pressing concern for defenders, as it provides unrestricted access to critical parts of the OS. The defense evasion capabilities of this attack may indicate the adversary acts as an initial access broker in the cybercriminal ecosystem. Having the ability to tamper with the protection mechanisms of a majority of antivirus and EDR solutions emphasizes heightened vigilance for kernel mode activity. Proactively deploying rules to identify and block specific vulnerable driver hashes can assist in preventing similar intrusions.
Suggested Corrections:
IOCs and MITRE ATT&CK Techniques are available here.
Trellix Recommendations for Preventing Driver-based Attacks:
A key method to safeguard systems from attacks leveraging vulnerable drivers, such as the Avast Anti-Rootkit driver, is the use of BYOVD (Bring Your Own Vulnerable Driver) protection mechanisms. BYOVD attacks exploit legitimate but vulnerable drivers to gain kernel-level access, allowing malware to bypass security software and terminate critical processes. To counter this, expert rules can be deployed to identify and block specific vulnerable drivers based on their unique signatures or hashes. For example, by utilizing the BYOVD expert rule below, which detects and prevents the execution of compromised drivers, organizations can prevent malware from using these drivers to establish persistence, elevate privileges, or disable security measures. Integrating this rule into an endpoint detection and response (EDR) or antivirus solution ensures that even legitimate drivers with vulnerabilities are effectively blocked, adding a crucial layer of protection against advanced driver-based attacks.
Link(s):
https://thehackernews.com/2024/11/researchers-uncover-malware-using-byovd.html
https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/
Trellix researchers have discovered a new threat campaign that leverages the Bring Your Own Vulnerable Driver (BYOVD) technique to disarm security protections and perform operations on the infected system. The notable aspect of this campaign is the attacker’s utilization of a legitimate Avast Anti-Rootkit driver to carry out the attack. The malware leverages the deep access provided by the driver to terminate security processes and disable anti-virus software allowing the threat actor to seize control of the system. The malware’s (kill-floor.exe) infection chain begins by begins by dropping a legitimate Avast Anti-Rootkit driver (aswArPot.sys). Instead of using a custom driver to perform its malicious activities, the malware uses a trusted kernel driver, allowing it to avoid being flagged as malicious as it prepares to undermine system defenses. With the driver installed, the malware achieves kernel-level access and terminates critical security processes to successfully gain control. To terminate any security processes detrimental to the attack’s success, the malware takes snapshots of the system’s active processes and retrieves all of the process information to then compare to a hardcoded list of process names. The adversary then employs the Avast kernel-mode driver to terminate matching user-mode processes and gain control of the victim’s machine.
Security Officer Comments:
The use of legitimate drivers in this campaign highlights a growing trend in the abuse of legitimate software and services to perpetrate cybercriminal attacks. The attacker’s corruption of the kernel-mode driver capitalizes on the reputation of and trust in drivers that are designed to protect the system, potentially assisting in achieving initial access. The adversary weaponizing their kernel privileges is a pressing concern for defenders, as it provides unrestricted access to critical parts of the OS. The defense evasion capabilities of this attack may indicate the adversary acts as an initial access broker in the cybercriminal ecosystem. Having the ability to tamper with the protection mechanisms of a majority of antivirus and EDR solutions emphasizes heightened vigilance for kernel mode activity. Proactively deploying rules to identify and block specific vulnerable driver hashes can assist in preventing similar intrusions.
Suggested Corrections:
IOCs and MITRE ATT&CK Techniques are available here.
Trellix Recommendations for Preventing Driver-based Attacks:
A key method to safeguard systems from attacks leveraging vulnerable drivers, such as the Avast Anti-Rootkit driver, is the use of BYOVD (Bring Your Own Vulnerable Driver) protection mechanisms. BYOVD attacks exploit legitimate but vulnerable drivers to gain kernel-level access, allowing malware to bypass security software and terminate critical processes. To counter this, expert rules can be deployed to identify and block specific vulnerable drivers based on their unique signatures or hashes. For example, by utilizing the BYOVD expert rule below, which detects and prevents the execution of compromised drivers, organizations can prevent malware from using these drivers to establish persistence, elevate privileges, or disable security measures. Integrating this rule into an endpoint detection and response (EDR) or antivirus solution ensures that even legitimate drivers with vulnerabilities are effectively blocked, adding a crucial layer of protection against advanced driver-based attacks.
Link(s):
https://thehackernews.com/2024/11/researchers-uncover-malware-using-byovd.html
https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/