Home Security Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections

Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections

by


Nov 25, 2024Ravie LakshmananMalware / Windows Security

Cybersecurity researchers have uncovered a new malicious campaign that leverages a technique called Bring Your Own Vulnerable Driver (BYOVD) to disarm security protections and ultimately gain access to the infected system.

“This malware takes a more sinister route: it drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda,” Trellix security researcher Trishaan Kalra said in an analysis published last week.

“The malware exploits the deep access provided by the driver to terminate security processes, disable protective software, and seize control of the infected system.”

The starting point of the attack is an executable file (kill-floor.exe) that drops the legitimate Avast Anti-Rootkit driver, which is subsequently registered as a service using Service Control (sc.exe) to perform its malicious actions.

Cybersecurity

Once the driver is up and running, the malware gains kernel-level access to the system, allowing it to terminate a total of 142 processes, including those related to security software, that could otherwise raise an alarm.

This is accomplished by taking snapshots of the actively running processes on the system and checking their names against the hard-coded list of processes to kill.

“Since kernel-mode drivers can override user-mode processes, the Avast driver is able to terminate processes at the kernel level, effortlessly bypassing the tamper protection mechanisms of most antivirus and EDR solutions,” Kalra said.

The exact initial access vector used to drop the malware is currently not clear. It’s also not known how widespread these attacks are and who are the targets.

That said, BYOVD attacks have become an increasingly common method adopted by threat actors to deploy ransomware in recent years, as they reuse signed but flawed drivers to bypass security controls.

Earlier this May, Elastic Security Labs revealed details of a GHOSTENGINE malware campaign that took advantage of the Avast driver to turn off security processes.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex