-->

How Hackers Leverage Avast Anti-Rootkit Driver to Avoid Detection: All You Should Know

This BYOVD tactic relies on trusted system drivers to attain kernel-level privileges and suppress antivirus protections.
 
How Hackers Leverage Avast Anti-Rootkit Driver to Avoid Detection: All You Should Know

Security researchers have discovered an advanced malware campaign where attackers use a legitimate Avast Anti-Rootkit driver, aswArPot.sys, to avoid detection and defeat security software. This BYOVD tactic relies on trusted system drivers to attain kernel-level privileges and suppress antivirus protections.

How Does It Work?

The malware, identified as kill-floor.exe, starts by dropping the legitimate Avast Anti-Rootkit driver (aswArPot.sys) into the system's directory. The attackers use the trusted kernel driver rather than creating a malicious driver from scratch to give their attack an air of legitimacy. This allows the malware to go undetected while it interferes with security processes.

Evasion

As soon as the Avast driver is dropped, the malware installs it as a service through the Service Control (sc.exe) tool. When the driver is installed, the malware gains kernel-level access and can disable security software, block processes, and hijack critical system functions. This makes the traditional antivirus programs much harder to detect and stop the attack.

Manipulation of Security Processes

It contains a pre-coded list of 142 commonly used antivirus and EDR programs. It refers to such processes to target security software, kill critical functions, and disable tamper protection features. The bypassing ability at the kernel level drastically increases the risks to the systems.

BYOVD Attacks Risks

BYOVD attacks are unique challenges in cybersecurity, as they take advantage of vulnerable drivers in legitimate software such as Avast's Anti-Rootkit driver. These drivers allow malware to hide and persist in the system, making it hard for security teams to identify the threat.

What Can You Do to Protect Yourself?

To defend against BYOVD attacks, organizations must block susceptible drivers and integrate advanced EDR and antivirus programs capable of recognizing these exploits. By adding protection against malicious drivers, systems can prevent malware from taking control and bypassing security measures.

This malware campaign shows a more sophisticated wave of cyber threats. Exploitation of the Avast Anti-Rootkit driver represents a need for solid, multi-layered security. Using BYOVD security best practices will help to protect oneself from these aggressive, covert attacks that traditional antivirus products are not equipped to handle.

Also read: Meta Takedowns 2M Accounts Linked to 'Pig Butchering' Scams: What you need to know

Tags

Share this story

Latest News

Must Read

Don't Miss