Full Report
Cybersecurity researchers have uncovered a new malicious campaign that leverages a technique called Bring Your Own Vulnerable Driver (BYOVD) to disarm security protections and ultimately gain access to the infected system. "This malware takes a more sinister route: it drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda," Trellix
Analysis Summary
# Main Topic
A new malicious campaign discovered by Trellix researchers that utilizes the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security protections, specifically by manipulating a legitimate Avast Anti-Rootkit driver (`aswArPot.sys`) to achieve kernel-level control.
## Key Points
- The core mechanism involves dropping and loading a legitimate Avast Anti-Rootkit driver (`aswArPot.sys`).
- The malware manipulates this driver to carry out "destructive agenda[s]," gaining deep access to terminate security processes at the kernel level.
- The driver is registered as a service using `sc.exe` to ensure its execution.
- Once active, the malware terminates 142 processes, including those belonging to antivirus and EDR solutions, to evade detection and tamper protection.
- The malware gains kernel-level access, allowing it to override user-mode security processes effortlessly.
## Threat Actors
- Attribution for the specific actors behind **this observable campaign** is currently **not clear**.
- The method (BYOVD) is noted as an increasingly common technique adopted by threat actors deploying ransomware.
## TTPs
- **Bring Your Own Vulnerable Driver (BYOVD):** The primary technique used to gain elevated privileges and bypass security controls.
- **Legitimate Driver Abuse:** The specific use of the signed Avast Anti-Rootkit driver (`aswArPot.sys`).
- **Persistence/Execution:** The dropped driver is registered as a service using the native Windows utility `Service Control (sc.exe)`.
- **Defense Evasion:** Termination of running processes (142 processes targeted) at the kernel level to disable antivirus and EDR solutions.
- **Initial Access Vector:** Currently unknown.
## Affected Systems
- Systems running Windows.
- Specifically targets security software, including Antivirus and EDR solutions running on the host system, by disabling them via kernel manipulation.
## Mitigations
- Monitoring for unauthorized loading or manipulation of signed, legitimate kernel-mode drivers, particularly those associated with security products like `aswArPot.sys`.
- Enhanced monitoring of service creation via `sc.exe` that targets known system or security drivers.
- Implement kernel integrity checks to detect unauthorized driver manipulation or use.
## Conclusion
This campaign represents a sophisticated use of the BYOVD technique, weaponizing a legitimate, signed driver associated with Avast security software to completely neutralize endpoint protection from within the kernel. Organizations should focus on monitoring kernel activity and unauthorized driver interaction, as the initial access vector remains unknown, suggesting this threat could be widespread.