Hackers Exploit Avast Anti-Rootkit Driver to Disable Security Defenses

Cybercriminals are weaponizing a vulnerable Avast Anti-Rootkit driver to bypass detection and disable security protections, exposing systems to malware. This latest BYOVD (Bring Your Own Vulnerable Driver) attack underlines the critical need for robust defense strategies in the evolving cybersecurity landscape.

This malicious campaign employs a kernel-level vulnerability to:

🚫 Terminate security processes: Targets antivirus tools from vendors like Microsoft Defender, McAfee, and Trend Micro.👾 Evade detection: Operates undetected by disabling active defenses.📂 File deployment: Malware drops the vulnerable driver (ntfs.bin) in the Windows user folder.🖥️ Service creation: Registers the driver as aswArPot.sys using the Service Control Manager.🔍 Security checks: Scans for 142 hardcoded security processes using snapshots of active processes.❌ Process termination: Utilizes the DeviceIoControl API to execute termination commands.

The malware disables protections from notable security vendors, including:

Microsoft DefenderSentinelOneSophosTrend MicroBlackBerryESETAnd many others.

📜 Hardcoded Processes List Malware operators use a pre-defined list of processes to identify and disable key components of endpoint defenses.

With defenses down, attackers gain unrestricted access to:

💾 Sensitive data: Exfiltrate critical files without user alerts.🕹️ System control: Operate malware to install ransomware or other malicious payloads.

This isn’t the first time the Avast Anti-Rootkit driver has been exploited:

Cuba Ransomware (2021): Leveraged similar vulnerabilities to disable security tools.AvosLocker Attacks (2022): Deployed drivers for malicious purposes.CVE-2022–26522 and CVE-2022–26523: High-severity flaws in Avast drivers that persisted since 2016 were quietly patched in late 2021.🛑 Implement driver blocklists: Use Microsoft’s vulnerable driver blocklist, updated with each Windows release.Windows 11 2022: Blocklist active by default.🔗 Signature-based rules: Identify and block components using hashes or signatures.⚙️ Advanced policies: Enable App Control for Business to access the latest driver protections.

Security researchers recommend that developers apply proactive patches and update vulnerable components regularly.

This attack showcases how outdated software can be a ticking time bomb. Companies and individuals must:

🚀 Stay updated: Ensure security tools are patched against known vulnerabilities.🔒 Adopt multi-layered defenses: Combine endpoint protection with strong policies to mitigate BYOVD threats.

Cybersecurity is a continuous battle don’t let your guard down!

💬 What measures have you implemented to safeguard your systems? Share your insights below! 👇