Summary:
A recent discovery by the Trellix Advanced Research Center reveals a malicious campaign that weaponizes a legitimate Avast Anti-Rootkit driver to execute harmful actions on infected systems. The malware, identified as kill-floor.exe, exploits kernel-level access to disable security processes and take control of the system, posing significant risks to users’ defenses.
Keypoints:
The malware drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) to mask its malicious activities.
It creates a service using Service Control (sc.exe) to register the dropped driver for further actions.
The malware gains kernel-level access, allowing it to terminate critical security processes.
BYOVD (Bring Your Own Vulnerable Driver) protection mechanisms can help safeguard against such attacks.
Indicators of compromise (IoCs) include specific file hashes associated with the malware and its components.
MITRE Techniques
Execution (T1543.003): Created service using potentially vulnerable driver.
Persistence (T1543.003): Created a Windows Service via sc.exe to run a process from suspicious path.
Privilege Escalation (T1106): Created a service that lists running processes.
Execution (T1014): Suspicious process added known vulnerable driver service.
Execution (T1543.003): Download content from third-party website with PowerShell.
IoC:
[File Hash] 40439f39f0195c9c7a3b519554afd17a
[File Hash] a179c4093d05a3e1ee73f6ff07f994aa
[File Name] kill-floor.exe
[File Name] ntfs.bin
Full Research: https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/