Malware Exploits Vulnerable Drivers to Disable Antivirus Tools

Cybersecurity experts have uncovered a malicious campaign using the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass antivirus protections and compromise systems. This approach involves leveraging legitimate but flawed drivers to disable security tools, leaving systems exposed to further attacks.

The malware drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and exploits its elevated access privileges to carry out harmful activities. Researchers noted that the driver is used to terminate security processes, disable protective software, and take control of the infected machine. This sophisticated attack showcases how malicious actors can repurpose trusted tools for nefarious purposes.

The attack begins with an executable file, kill-floor.exe, which deploys the Avast driver. The driver is then registered as a service using the Service Control tool (sc.exe). Its kernel-level capabilities allow it to bypass tamper protection in most antivirus and endpoint detection and response (EDR) solutions. This makes detecting and mitigating the attack particularly challenging.

Although the exact method by which the malware gains initial access remains unclear, BYOVD tactics have become a growing concern in the cybersecurity community. In recent years, attackers have used this method to deploy ransomware and evade detection by security software. A previous campaign, revealed in May, used the same Avast driver to disable security systems, underscoring the popularity of this technique among cybercriminals.

The current scale and targets of these attacks remain unknown, but the growing prevalence of BYOVD methods highlights the need for enhanced security practices to counter these advanced threats.

To protect against BYOVD attacks, organizations should implement strict driver signing policies and block known vulnerable drivers. Regularly update security software to include protections against such exploits.

Employ tools that monitor kernel-level activities and identify unusual driver behavior. Finally, enforce strong endpoint security measures and educate employees on potential threats to reduce the risk of malware infiltration.