Security experts have discovered a new malware campaign that employs a sophisticated technique called Bring Your Own Vulnerable Driver (BYOVD) to disable security systems and infiltrate target computers.
According to research published by Trellix, the malware exploits a legitimate Avast Anti-Rootkit driver (aswArPot.sys) to execute its malicious activities. By manipulating this trusted driver, the malware can effectively terminate security processes and take control of infected systems.
The attack begins when an executable file named "kill-floor.exe" installs the legitimate Avast driver. Using the Windows Service Control tool, the malware registers this driver as a service, enabling it to perform harmful operations with elevated system privileges.
With kernel-level access granted through the driver, the malware can identify and terminate up to 142 different processes, particularly targeting security software that might detect its presence. The malware accomplishes this by comparing running processes against its pre-programmed list of targets.
The research team notes that since kernel-mode drivers have authority over user-mode processes, the compromised Avast driver can easily bypass standard protection mechanisms used by antivirus and endpoint detection and response (EDR) solutions.
While researchers have yet to determine how the malware initially infects systems or identify specific targets, BYOVD attacks have become increasingly popular among cybercriminals for deploying ransomware. This technique involves repurposing signed but vulnerable drivers to circumvent security measures.
This discovery follows a similar incident reported in May 2023, when Elastic Security Labs identified the GHOSTENGINE malware campaign that also exploited the Avast driver to disable security processes.
The findings highlight an emerging trend in cyber threats, where attackers leverage legitimate system components to bypass security controls, presenting new challenges for cybersecurity professionals and organizations.