Ethical Hacking News
Threat actors have recently employed a sophisticated method of compromising systems by abusing a flawed Avast Anti-Rootkit driver. This malicious campaign has garnered significant attention from cybersecurity experts and researchers, who are now sounding the alarm about the potential risks this poses to global cybersecurity. Organizations should implement BYOVD protections and expert rules to detect and block vulnerable drivers based on their unique signatures or hashes to prevent such attacks.
Threat actors exploited a flawed Avast Anti-Rootkit driver to compromise systems. The attack involves downloading malware-infected software or executing infected files, resulting in kernel-level access and system control. The malicious payload targets multiple security products, including Avast, ESET, McAfee, Microsoft Defender, SentinelOne, Sophos, and Trend Micro. Cybersecurity experts recommend implementing BYOVD (Bring Your Own Vulnerable Driver) protections to prevent such attacks. Organizations should deploy expert rules to detect and block vulnerable drivers based on their unique signatures or hashes. The report includes Indicators of Compromise (IoCs) for this campaign to help organizations monitor potential threats.
Threat actors have recently employed a sophisticated method of compromising systems by abusing a flawed Avast Anti-Rootkit driver. This malicious campaign has garnered significant attention from cybersecurity experts and researchers, who are now sounding the alarm about the potential risks this poses to global cybersecurity.
The threat actor in question has identified a vulnerable Avast Anti-Rootkit driver (aswArPot.sys) that can be exploited by threat actors. The attack starts when an unsuspecting user downloads software or executes an infected file which leads to infection of their system with malware, and subsequently the malware drops the legitimate kernel driver as "ntfs.bin" in the 'C:\Users\Default\AppData\Local\Microsoft\Windows' directory.
The malicious payload continues by utilizing Service Control (sc.exe) to create a service "aswArPot.sys" that registers the driver for further actions. With this, the malware gains kernel-level access to the system and can terminate critical security processes and take control of the system.
Avast Anti-Rootkit driver is designed to protect the system from rootkits but unfortunately, threat actors are able to exploit a flaw in the code that transforms it into a tool for terminating protective processes and compromising infected systems. The fact that Avast Anti-Rootkit driver operates at kernel level provides malware with unrestricted access to operating system.
The malicious actor also includes a list of 142 hardcoded security process names associated with products from various vendors, which can further be used to disable security solutions. In addition, threat actors target multiple products including Avast, ESET, McAfee, Microsoft Defender, SentinelOne, Sophos, and Trend Micro.
Cybersecurity experts are now strongly recommending that organizations implement BYOVD (Bring Your Own Vulnerable Driver) protections to protect systems from attacks using vulnerable drivers. Deploying expert rules to detect and block such drivers based on their unique signatures or hashes is essential in preventing this type of attack.
Furthermore, the report includes Indicators of Compromise (IoCs) for this campaign, which can help organizations keep an eye out for potential threats.
In conclusion, threat actors have recently exploited a flawed Avast Anti-Rootkit driver to gain deeper access to target systems, disable security solutions and gain system control. Cybersecurity experts are now sounding the alarm about the potential risks this poses to global cybersecurity and organizations should take necessary precautions to protect their systems from such attacks.
Related Information:
https://securityaffairs.com/171340/hacking/avast-anti-rootkit-driver-abused-malware-campaign.html
https://www.bleepingcomputer.com/news/security/hackers-abuse-avast-anti-rootkit-driver-to-disable-defenses/
Published: Mon Nov 25 09:02:41 2024 by llama3.2 3B Q4_K_M
