Hackers Exploit Avast Driver to Dodge Security Tools

The malware leverages a legitimate Avast Anti-Rootkit driver, ‘aswArPot.sys’, dropped as ‘ntfs.bin’, to bypass security measures, which provides a stealthy channel for the malware to execute malicious activities without triggering alarms. 

It makes use of Service Control in order to incorporate a malicious kernel driver known as “aswArPot.sys,” which is derived from a genuine Avast driver. 

Through this elevated kernel-level access, the malware is able to circumvent security measures, terminate processes that are essential to the system, and take control of the system.

The aswArPot.sys driver, operating at the kernel level, leverages elevated privileges to target and compromise critical system components, particularly security solutions, by identifying and manipulating their processes.

aswArPot.sys’ terminating security processes

It stealthily installs a malicious Avast Anti-Rootkit driver in a system directory and registers it as a Windows service to evade detection and potentially compromise system security.

The Avast Anti-Rootkit driver is responsible for triggering an infinite loop in the malware, which continuously captures snapshots of processes that are currently running. 

After that, the malware will extract information about the process and then compare the names of the processes to a list that has been predefined, which could potentially identify target processes for malicious actions.

malware actively monitoring running processes on the system

The malware identifies and references the Avast driver, then leverages its kernel-level privileges to execute a DeviceIoControl API call with the ‘0x9988c094’ IOCTL code and the target process ID, effectively terminating the process undetected by most security solutions.

It is possible for malicious software to manipulate the Avast Anti-Rootkit driver in order to execute arbitrary code, which may include the termination of certain security processes, when the driver is exploited. 

 Infection Chain

According to Trellix, this is achieved by sending a crafted IOCTL code (0x9988c094) and the target process ID to the driver, which then leverages kernel-level privileges to terminate the process using the KeAttachProcess and ZwTerminateProcess functions.

Vulnerable drivers like Avast Anti-Rootkit can be exploited by BYOVD attacks to gain kernel-level access. Expert rules can identify and block specific vulnerable drivers based on their signatures or hashes. 

Malware can be prevented from using compromised drivers for persistence, privilege escalation, or security bypass by implementing these rules in endpoint detection and response (EDR) or antivirus detection solutions.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here