In a concerning development, cybersecurity researchers at Trellix have uncovered a sophisticated malware campaign that exploits a legitimate antivirus driver to bypass system protections.
The malware, identified as “kill-floor.exe,” leverages the Avast Anti-Rootkit driver (aswArPot.sys) to gain kernel-level access, effectively neutralizing security software and taking control of infected systems.
This tactic highlights the growing trend of “Bring Your Own Vulnerable Driver” (BYOVD) attacks, where attackers weaponize trusted but flawed drivers to execute malicious activities.
Infection Chain and Exploitation
The infection begins with the malware dropping the Avast Anti-Rootkit driver in a Windows directory under the guise of a legitimate file named “ntfs.bin.”
Using the Service Control utility (sc.exe), the malware registers the driver as a service, granting it unrestricted kernel-level privileges.
This access allows it to terminate critical security processes, disable endpoint detection and response (EDR) solutions, and evade tamper protection mechanisms.
Once operational, the malware enters an infinite loop, monitoring active processes on the system.
It compares these processes against a hardcoded list of 142 security-related process names.
If a match is found, the malware interacts with the Avast driver using the DeviceIoControl API and a specific IOCTL code (0x9988c094).
This code instructs the driver to terminate targeted security processes at the kernel level, effectively dismantling system defenses.
Weaponizing Kernel Privileges
The Avast Anti-Rootkit driver, originally designed to protect systems, becomes a tool for destruction in this campaign.
By exploiting its kernel-mode capabilities, the malware overrides user-mode restrictions and performs actions such as process termination using Windows kernel functions like KeAttachProcess and ZwTerminateProcess.
This manipulation underscores the risks associated with vulnerable drivers being exploited in BYOVD attacks.
To counter such threats, organizations are advised to adopt robust BYOVD protection mechanisms.
These include deploying expert rules that detect and block vulnerable drivers based on their unique signatures or hashes.
For instance, Trellix recommends integrating specific detection rules into EDR or antivirus solutions to prevent compromised drivers like aswArPot.sys from being executed.
Such measures can thwart attempts to establish persistence, elevate privileges, or disable security software via kernel-level exploits.
Key indicators linked to this campaign include two MD5 hashes:
- 40439f39f0195c9c7a3b519554afd17a (kill-floor.exe)
- a179c4093d05a3e1ee73f6ff07f994aa (ntfs.bin)
These artifacts should be monitored closely by security teams to detect potential infections.
This discovery serves as a stark reminder of how trusted components can be weaponized by adversaries, emphasizing the need for proactive defense measures against advanced threats leveraging legitimate but vulnerable software components.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup ->Â Try for free
