Trellix Identifies Malware Exploiting Security Software Vulnerabilities
/ 3 min read
Quick take - The Trellix Advanced Research Center has identified a complex malware campaign, named “kill-floor.exe,” that exploits a legitimate Avast Anti-Rootkit driver to gain kernel-level access, disable security processes, and control infected systems, prompting recommendations for enhanced protective measures against such threats.
Fast Facts
- Trellix Advanced Research Center discovered a malware campaign using “kill-floor.exe” that exploits the Avast Anti-Rootkit driver for malicious activities.
- The malware gains kernel-level access, allowing it to terminate security processes and disable protective software on infected systems.
- It disguises the Avast driver as ‘ntfs.bin’ in the Windows directory and uses the Service Control utility to create a service for it.
- The malware monitors running processes against a hardcoded list of 142 antivirus and EDR solutions, terminating any matches using the Avast driver.
- Experts recommend implementing BYOVD protection and deploying rules to identify vulnerable drivers, while Trellix provides indicators of compromise for affected files.
Trellix Uncovers Sophisticated Malware Campaign
The Trellix Advanced Research Center team has uncovered a sophisticated malicious campaign targeting users by exploiting security software. This malware, identified as “kill-floor.exe,” manipulates a legitimate Avast Anti-Rootkit driver, aswArPot.sys, for malicious purposes.
Kernel-Level Access and Infection Process
By leveraging this driver, the malware gains kernel-level access to infected systems. This access allows it to terminate security processes, disable protective software, and exert control over the compromised system.
The infection process begins with the malware dropping the Avast Anti-Rootkit driver, disguised as ‘ntfs.bin’ and placed in the ‘C:\Users\Default\AppData\Local\Microsoft\Windows’ directory. The malware then uses the Service Control (sc.exe) utility to create a service for the dropped driver. Once installed and operational, the driver enables the malware to access kernel-level functions, which are typically reserved for trusted applications.
Monitoring and Termination of Security Processes
A critical feature of this malware is its hardcoded list of 142 well-known antivirus and endpoint detection and response (EDR) solution process names. The malware actively monitors running processes on the system and compares these processes against the hardcoded list. When a match is found, the malware creates a handle to the installed Avast driver and employs the DeviceIoControl API to send commands to terminate the identified security processes. The Avast driver interprets these commands and utilizes Windows kernel functions to execute the termination of the specified processes.
Recommendations and Indicators of Compromise
To combat such threats, experts recommend implementing mechanisms like Bring Your Own Vulnerable Driver (BYOVD) protection. BYOVD attacks exploit legitimate but vulnerable drivers to gain unauthorized kernel-level access, bypassing existing security measures. Organizations are advised to deploy expert rules to identify and block specific vulnerable drivers based on the signatures or hashes of the drivers, enhancing the overall security posture.
Trellix has provided indicators of compromise for this malware, including specific hashes for the malicious files: “40439f39f0195c9c7a3b519554afd17a” for kill-floor.exe and “a179c4093d05a3e1ee73f6ff07f994aa” for ntfs.bin. Additionally, Trellix ENS and EDR detection tools offer insights into the tactics and techniques employed by this malware, particularly related to service creation and process termination. This detailed information serves as a resource for educational purposes, assisting Trellix customers in safeguarding their systems against such sophisticated threats.
Original Source: Read the Full Article Here
