Avast security tools hijacked in order to crack antivirus protection

Researchers spot new campaign that can turn off antivirus protection
Malware uses legitimate Avast Anti-Rootkit driver to access kernel level
Once antivirus is deactivated, the malware can proceed without detection

Hackers are using a legitimate Avast Anti-Rootkit driver to disguise their malware, turn off antivirus protection, and infect systems, experts have warned.

The vulnerable driver has been exploited in a number of attacks since 2021, with the original vulnerabilities being present since at least 2016, research by Trellix, has claimed, noting the malware can use the vulnerable driver to end the processes of security software at the kernel level.

The malware in question belongs to the AV Killer family, with the attack using a vector known as bring-your-own-vulnerable-driver (BYOVD) to infect the system.

Virus can turn off antivirus

Trellix outlined how the malware uses a file named ‘kill-floor.exe’ to place the vulnerable driver named ‘ntfs.bin’ into the default Windows user folder, before using the Service Control executable (sc.exe) to register the driver using the ‘aswArPot.sys’ service.

Included within the malware is a hardcoded list of 142 processes used by common security products, which is used to check system process snapshots for any matches.

The malware then uses the ‘DeviceIoControl’ API to run the relevant commands to end the process, thereby preventing the antivirus from detecting the malware.

The hardcoded list includes processes belonging to a number of security products from names such as McAfee, Avast, Microsoft Defender, BlackBerry, Sophos, and many more.

As BleepingComputer points out, this isn’t the first time a BYOVD attack has exploited a vulnerable Avast driver, with the 2021 Avoslocker ransomware attacks abusing an Avast Anti-Rookit driver. Sentinel Labs also spotted and reported two high-severity flaws to Avast in the same year, which were patched shortly after.

https://cdn.mos.cms.futurecdn.net/ThNyuwnA55tfcixfqWcEcA-1200-80.jpg

Source link
benedict.collins@futurenet.com (Benedict Collins)

Samsung Galaxy S25 specs predictions: all the key rumored specs for every model

This can’t be real: Walmart is selling a 98-inch TCL QLED TV for $1,598 on Black Friday

I never leave the house without this portable battery, and it’s just $16 for Black Friday

This new method could reduce the energy needs of AI applications by 95% — but may also need whole new forms of hardware

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

People are driving through flames to escape this California wildfire

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

‘Heathers’ is still the best dark comedy about high school hell

Trump vs. Harris: How the election will affect EV adoption

Lumwana’s Super Pit Expansion Officially Launched By Investing.com

How Biden could use a 1947 law to suspend the dockworkers’ strike

Why your Roth IRA conversions could have ‘unintended’ tax consequences

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Avast security tools hijacked in order to crack antivirus protection

Samsung Galaxy S25 specs predictions: all the key rumored specs for every model

This can’t be real: Walmart is selling a 98-inch TCL QLED TV for $1,598 on Black Friday

I never leave the house without this portable battery, and it’s just $16 for Black Friday

This new method could reduce the energy needs of AI applications by 95% — but may also need whole new forms of hardware

Leave a reply Cancel reply