Hackers Exploit Avast Anti-Rootkit Driver to System Takeover

In a concerning development, cybercriminals are leveraging an old, vulnerable version of Avast’s Anti-Rootkit driver to disable security defenses and gain control of target systems. This exploit highlights the risks of outdated software components and the need for robust defensive measures. Below, we analyze the attack, its mechanisms, and actionable steps to mitigate such threats.

How Hackers Are Exploiting the Driver

The BYOVD Technique

The attack employs the “Bring Your Own Vulnerable Driver” (BYOVD) technique, where a legitimate driver with known vulnerabilities is used maliciously. This method allows attackers to operate at the kernel level, gaining access to critical system components and bypassing security measures.

Attack Execution

Security researchers at Trellix recently uncovered the campaign. Here’s how the attack unfolds:

1. Malware Delivery
   The malware, identified as a variant of an AV Killer, is disguised under the name kill-floor.exe. It delivers the vulnerable driver ntfs.bin to the default Windows user folder.

2. Driver Installation
   Using the Windows Service Control (sc.exe), the malware creates a service named aswArPot.sys to register the Avast driver.

3. Process Termination
   The malware contains a hardcoded list of 142 processes linked to security solutions from major vendors like McAfee, Sophos, Trend Micro, and Microsoft Defender. It scans active processes for matches and uses the DeviceIoControl API to issue commands via the compromised driver, effectively disabling the identified security processes.

4. Unrestricted Malicious Activity
   With security defenses deactivated, the malware operates stealthily, enabling data theft, ransomware deployment, or other malicious activities without triggering user alerts.

Historical Context & Vulnerabilities

Previous Exploits

The use of the Avast Anti-Rootkit driver for malicious purposes is not unprecedented. Similar tactics were observed in:

• AvosLocker Ransomware (2022): Attackers leveraged the driver to disable endpoint protection.
• Cuba Ransomware (2021): A script exploited a function in the driver to terminate security software.

Exploitable Flaws

SentinelLabs researchers uncovered two critical vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in the driver in 2021. These flaws, which existed since 2016, allowed privilege escalation and security software termination. Avast addressed these issues in a silent security update.

Mitigation Strategies

To safeguard systems against attacks exploiting vulnerable drivers, organizations and users must adopt a layered security approach:

1. Driver Signature Enforcement

Implement policies that block unsigned or unverified drivers. Security tools like Trellix offer rules to identify malicious components based on their signatures or hashes.

2. Microsoft’s Driver Blocklist

Microsoft provides a vulnerable driver blocklist policy, updated with every major Windows release. This blocklist is active by default in Windows 11 2022 and later versions. Organizations can use App Control for Business to ensure their blocklist is current.

3. Endpoint Detection and Response (EDR) Solutions

Advanced EDR solutions can identify suspicious activities, such as attempts to install drivers or terminate processes, enabling rapid response.

4. Patch Management

Regularly update all software components, including third-party drivers, to eliminate vulnerabilities.

5. Educate and Train Employees

Awareness programs can help employees recognize potential phishing attempts or suspicious files that may deliver malware.