Ethical Hacking News
New Malware Campaign Uncovered: BYOVD Technique Used to Bypass Antivirus Protections
A recent discovery by cybersecurity researchers has shed light on a sophisticated malware campaign that leverages the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass antivirus protections and gain unauthorized access to infected systems. This technique, which involves exploiting pre-existing vulnerabilities in drivers to carry out malicious actions, is a relatively new addition to the arsenal of threat actors. In this article, we will delve into the details of this malware campaign and explore the implications for individuals and organizations.
The Bring Your Own Vulnerable Driver (BYOVD) method involves exploiting pre-existing vulnerabilities in drivers to bypass antivirus protections. A recent analysis found that a BYOVD malware campaign leverages a legitimate Avast Anti-Rootkit driver to gain unauthorized access to infected systems. The malicious code manipulates the legitimate driver to terminate security processes, disable protective software, and seize control of the infected system. The attack starts with an executable file that drops the legitimate driver, which is then registered as a service to perform its malicious actions. Kernel-level access allows the driver to terminate processes at the kernel level, bypassing tamper protection mechanisms of most antivirus and EDR solutions. BYOVD attacks have become a common method adopted by threat actors to deploy ransomware, using reused signed but flawed drivers to evade detection. The discovery highlights the need for regular software updates, patching, and monitoring of system drivers to protect against emerging threats.
The cybersecurity landscape has witnessed a significant evolution in recent years, with threat actors continually adapting and innovating their tactics to evade detection. One such technique that has gained prominence is the Bring Your Own Vulnerable Driver (BYOVD) method, which involves exploiting pre-existing vulnerabilities in drivers to bypass antivirus protections and gain unauthorized access to infected systems.
According to a recent analysis by Trellix security researcher Trishaan Kalra, this malware campaign leverages a legitimate Avast Anti-Rootkit driver (aswArPot.sys) that is dropped through an executable file called kill-floor.exe. The malicious code manipulates the legitimate driver to carry out its destructive agenda, exploiting the deep access provided by the driver to terminate security processes, disable protective software, and seize control of the infected system.
The starting point of the attack is the executable file (kill-floor.exe), which drops the legitimate Avast Anti-Rootkit driver. The malicious code then registers the driver as a service using Service Control (sc.exe) to perform its malicious actions. Once the driver is up and running, it gains kernel-level access to the system, allowing it to terminate a total of 142 processes, including those related to security software.
"The Avast driver is able to terminate processes at the kernel level, effortlessly bypassing the tamper protection mechanisms of most antivirus and EDR solutions," Kalra said in her analysis. "Since kernel-mode drivers can override user-mode processes, the Avast driver is able to terminate processes at the kernel level, effortlessly bypassing the tamper protection mechanisms of most antivirus and EDR solutions."
The exact initial access vector used to drop the malware is currently not clear, although researchers speculate that it may involve exploiting vulnerabilities in system software or firmware. It is also unclear how widespread these attacks are and who are the targets.
BYOVD attacks have become an increasingly common method adopted by threat actors to deploy ransomware in recent years. This technique involves reusing signed but flawed drivers to bypass security controls, making it a potent tool for threat actors looking to evade detection.
Earlier this May, Elastic Security Labs revealed details of a GHOSTENGINE malware campaign that took advantage of the Avast driver to turn off security processes. This discovery highlights the evolving nature of cybersecurity threats and the need for vigilance on the part of individuals and organizations.
The implications of this BYOVD malware campaign are significant, as it underscores the importance of regular software updates, patching, and monitoring of system drivers. It also highlights the need for more stringent testing and validation procedures to ensure that third-party drivers are secure before being integrated into systems.
In conclusion, the discovery of this BYOVD malware campaign serves as a timely reminder of the evolving nature of cybersecurity threats and the importance of vigilance on the part of individuals and organizations. As threat actors continue to adapt and innovate their tactics, it is essential that we remain vigilant and proactive in our efforts to protect ourselves against these emerging threats.
Related Information:
https://thehackernews.com/2024/11/researchers-uncover-malware-using-byovd.html
Published: Mon Nov 25 04:11:59 2024 by llama3.2 3B Q4_K_M
