Malware Turns Trusted Avast Driver Into a Weapon

In a chilling discovery, Trellix Advanced Research Center has uncovered a malicious campaign that turns trusted security tools into instruments of attack. The malware manipulates Avast’s Anti-Rootkit driver (aswArPot.sys) to gain deep system access, disable protective measures, and take full control of compromised systems.

This sophisticated campaign is an example of a growing threat: the exploitation of kernel-mode drivers, usually designed to protect critical system components. When compromised, these drivers become potent weapons for malicious actors.

“What makes this even more alarming is the level of trust associated with kernel-mode drivers—designed to protect the system at its core—which, in this case, are being turned into tools of destruction,” explains Trishaan Kalra, Security Researcher at Trellix.”

Infection Chain: A Trust-Breaching Beginning

The attack begins with the malware, identified as kill-floor.exe, dropping the legitimate Avast Anti-Rootkit driver into a hidden directory.

This approach leverages a trusted kernel driver, giving the malware an air of legitimacy and bypassing initial detection. Using the Service Control utility (sc.exe), the malware registers the driver under the alias aswArPot.sys and activates it as a service.

Once installed, the driver provides kernel-level access, enabling the malware to manipulate core system functions. This high-privilege access is then weaponized to terminate antivirus and endpoint detection and response (EDR) processes, effectively crippling system defenses.

Kernel Privileges: A Weaponized Defender

The Avast Anti-Rootkit driver operates at the kernel level, granting the malware unrestricted access to vital operating system components. Key steps in the attack include:

1. Defining Security Targets:
   The malware is pre-configured with a list of 142 hardcoded process names associated with antivirus and EDR solutions.
2. Driver Activation:
   After registering the driver, the malware enters an infinite loop to monitor and take snapshots of active system processes.
3. Process Termination:
   Matching process names against its hardcoded list, the malware creates a handle to the Avast driver and issues a termination command using the DeviceIoControl API. The driver, now under the malware’s control, executes these commands, bypassing tamper protections and disabling targeted security software.

Research into the driver revealed that it utilizes Windows kernel functions, such as KeAttachProcess and ZwTerminateProcess, to terminate processes at the kernel level.

The IOCTL Trigger: Exploiting Kernel Vulnerabilities

A critical part of this attack is the use of an Input/Output Control (IOCTL) code, specifically 0x9988c094, which directs the driver to terminate designated processes. The malware passes this code along with a target process ID to the driver, which then executes the command.

“The Avast Anti-Rootkit driver interprets the IOCTL code (0x9988c094) as a command to terminate the specified security process that is passed by the malware alongside the code. Upon decompiling and disassembling the Avast Anti-Rootkit driver for research purposes, the function ‘FUN_14001dc80’ reveals the driver utilizing Windows kernel functions KeAttachProcess and ZwTerminateProcess to terminate the security processes on behalf of the malware,” Kalra says.

Mitigating the Threat: Protecting Against Driver-Based Attacks

The campaign highlights the risks posed by Bring Your Own Vulnerable Driver (BYOVD) attacks, where legitimate but flawed drivers are exploited to gain kernel access. To fight these threats, entities can implement several safeguards:

• BYOVD Protection Rules: Deploy expert rules that detect and block specific vulnerable drivers based on their unique signatures or hashes.
• Endpoint Detection and Response (EDR) Integration: Incorporate these rules into EDR or antivirus solutions to preemptively block compromised drivers like aswArPot.sys.
• Proactive Vulnerability Management: Regularly audit and update drivers to mitigate known vulnerabilities.

Trellix recommends the following BYOVD expert rule to secure systems against kernel-mode attacks, providing an additional layer of defense against advanced threats.

A Conduit for System Penetration

Sarah Jones, Cyber Threat Intelligence Research Analyst at Critical Start, says the kill-floor.exe malware exemplifies a critical vulnerability in cybersecurity: the exploitation of trusted historical tools. “Threat actors skillfully weaponize deprecated system components, transforming established security infrastructure into a conduit for system penetration. This approach reveals a profound understanding of organizational blind spots, where the assumption of vendor-managed security creates critical gaps.”

Many entities rely on brand-name software, believing vulnerabilities are solely the vendor’s responsibility, she adds. “However, as software ages, vendors often cease critical updates, shifting the burden of maintenance to the end-user. This disconnect creates fertile ground for sophisticated threat actors who meticulously identify and exploit outdated system components.”

According to Jones, by repurposing an older Avast Anti-Rootkit driver, attackers can bypass modern security detection, gaining kernel-level access with minimal resistance. The strategy allows them to “hide in plain sight,” using a signed, legitimate driver as a Trojan horse to infiltrate and control target systems. This perpetual cat-and-mouse game underscores the need for proactive, comprehensive software management and continuous security vigilance.

Enhanced Detection Strategies Needed

This emphasizes an urgent need for enhanced detection strategies to monitor and block the use of outdated or vulnerable drivers, adds Jason Soroko, Senior Fellow at Sectigo. “This “bring-your-own-vulnerable-driver” (BYOVD) strategy allows the malware to manipulate kernel-level privileges, enabling it to terminate security processes, disable protective software, and hijack the system with alarming efficiency.”

He says what sets this apart is the malware’s use of a hardcoded list of 142 security processes from major vendors, including Microsoft Defender, Symantec, and Trend Micro, which it systematically disables. The attack demonstrates the dangerous potential of repurposing trusted components of the operating system, exploiting their kernel-level access to override tamper protection.