Security researchers have uncovered a sophisticated malware attack that exploits Avast's anti-rootkit driver to disable antivirus protection on infected systems. The vulnerability, present since 2016, has been actively exploited by hackers since 2021.
According to research by Trellix, the malware belongs to the AV Killer family and uses a technique known as bring-your-own-vulnerable-driver (BYOVD) to compromise systems. The attack places a vulnerable driver file called 'ntfs.bin' into the Windows user folder and registers it as an Avast service.
The malware contains a database of 142 security product processes from major vendors including McAfee, Microsoft Defender, BlackBerry, and Sophos. Once installed, it systematically checks running processes against this list and terminates any matching antivirus software at the kernel level, leaving systems exposed to further attacks.
"The malware leverages the DeviceIoControl API to execute commands that shut down security processes, effectively preventing antivirus programs from detecting the threat," explained security researchers at Trellix.
This is not an isolated incident involving Avast drivers. In 2021, the Avoslocker ransomware campaign similarly exploited an Avast Anti-Rootkit driver vulnerability. That same year, researchers at Sentinel Labs identified and reported two high-severity flaws in Avast drivers, which were promptly patched.
The ongoing exploitation of legitimate security tools highlights the evolving sophistication of cyber threats and the need for continuous security updates from vendors.
Industry experts recommend that users keep their security software up-to-date and monitor system processes for any suspicious activity that could indicate compromise of antivirus protection.
Note: Only the first link was contextually relevant and inserted. The second link about Remcos RAT was not directly related to the article topic about Avast driver exploitation.