Ethical Hacking News
Hackers have recently discovered a new attack that leverages an old and vulnerable version of the Avast Anti-Rootkit driver. This malicious campaign uses the legitimate but outdated anti-rootkit driver to disable security components on targeted systems, allowing the malware to take control of the system. Stay informed about such threats by staying up-to-date with your operating system and software.
Hackers have discovered a new attack that exploits an old and vulnerable version of the Avast Anti-Rootkit driver. The attack, using the BYOVD approach, disables security components on targeted systems allowing malware to take control. The malicious campaign uses a legitimate but outdated anti-rootkit driver to drop vulnerable drivers on Windows systems. The attackers create a service to register the driver and leverage the 'DeviceIoControl' API to terminate Avast's Anti-Rootkit driver. Users are advised to protect their systems against such attacks by using rules that can identify and block components based on signatures or hashes. Regular updates, patches, and monitoring are crucial in protecting against these types of attacks.
Hackers have recently discovered a new attack that leverages the bring-your-own-vulnerable-driver (BYOVD) approach by exploiting an old and vulnerable version of the Avast Anti-Rootkit driver. This malicious campaign uses the legitimate but outdated anti-rootkit driver to disable security components on targeted systems, allowing the malware to take control of the system.
According to cybersecurity experts at Trellix, the attack begins with a piece of malware named kill-floor.exe that drops the vulnerable driver with the file name ntfs.bin in the default Windows user folder. The malware then creates a service called aswArPot.sys using the Service Control (sc.exe) and registers the driver.
The malware uses a hardcoded list of 142 processes associated with security tools, including those from McAfee, Symantec (Broadcom), Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, and BlackBerry, to check against multiple snapshots of active processes on the system. When it finds a match, it creates a handle to reference the installed Avast driver and leverages the 'DeviceIoControl' API to issue the required IOCTL commands to terminate it.
This attack chain is similar to one observed in early 2022 by researchers at Trend Micro while investigating an AvosLocker ransomware attack. In December 2021, Stroz Friedberg's Incident Response Services team found that Cuba ransomware used a script that abused a function in Avast's Anti-Rootkit kernel driver to kill security solutions on victim's systems.
It is essential for users to protect their systems against such attacks by using rules that can identify and block components based on their signatures or hashes. Microsoft also has solutions, such as the vulnerable driver blocklist policy file, which is updated with every major Windows release.
Starting with Windows 11 2022, this list is active by default on all devices. The latest version of the list can be found through App Control for Business.
The use of outdated or unpatched software by users and organizations can lead to various security vulnerabilities that hackers exploit to gain unauthorized access to systems.
As such, regular updates, patches, and monitoring are crucial in protecting against these types of attacks.
Related Information:
Published: Sat Nov 23 15:09:31 2024 by llama3.2 3B Q4_K_M
