# Yours Truly, Signed AV Driver: Weaponizing an Antivirus Driver **[cyber.aon.com/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/](https://cyber.aon.com/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/)** As we head into 2022, ransomware groups continue to plague our digital environment with new and interesting techniques to bypass Antivirus (AV) and Endpoint Detection and Response (EDR) solutions and ensuring the successful execution of their ransomware payloads. In December 2021, Stroz Friedberg’s Incident Response Services team engaged in a Digital Forensics and Incident Response (DFIR) investigation and environment-wide recovery of a Cuba ransomware incident. We discovered novel indicators of compromise (IOCs) utilizing an interesting technique. Here, as part of the Cuba’s toolset, the threat actor group executed a script that abused a function in an Avast Anti Rootkit kernel driver to terminate popular AV and EDR® processes. While the use of kernel drivers to target and kill AV and EDR solutions1 prior to encryption has been known and discussed for some time, the abuse of a signed and valid driver from an Antivirus vendor2 was surprisingly effective and ironic. At the time of writing this article, there are three different versions of the same attack. They are listed below in the order of implementation complexity: A self-contained PowerShell script, dropped alongside the Avast driver, that installs and loads the driver and executes a small number of functions to control the driver. An executable that unpacks and loads in memory a small executable to control the driver. Within this blog, we refer to this executable as the controller. Additional tools are used to install and load the Avast driver in the infected system. A batch script that installs a service to load the Avast kernel driver, then launches a PowerShell script to decode, load and execute the controller in memory. This article delves into the implementation of the third variant of the attack where the attacker uses a batch script as described in the third bullet point above. ## The Staging – Batch Script The first stage of the hijack starts with the threat actor dropping three files, a batch script, a PowerShell script, and an Avast driver, within the target system’s “C:\Windows” and “C:\Windows\Temp” directories. The threat actor executes the batch script to create and start a new service that utilizes a legitimate Avast Anti Rootkit kernel driver named aswArPot.sys. A short timeout is included to ensure the service is fully started, prior to the execution of the PowerShell script used to unpack and execute the controller. ``` @ echo off sc.exe create aswSP_ArPot2 binPath= C:\windows\temp\aswArPot.sys type= kernel sc.exe start aswSP_ArPot2 Timeout /t 3 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -executionpolicy bypass -file c:\windows\temp\SAMPLE.ps1 ## The Obfuscation – PowerShell Loader Script ``` The PowerShell script contains multiple layers of obfuscation which, when executed, decodes its contents, and rebuilds the controller. Once the PowerShell script finishes rebuilding the controller, it utilizes Windows Application Programming Interfaces (APIs) to load and execute the controller in memory. ----- ``` yp yp using System; using System.Diagnostics; using System.Runtime.InteropServices; public static class RANDOMSTRING1 { [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr RANDOMSTRING2, uint RANDOMSTRING3, uint RANDOMSTRING4, uint RANDOMSTRING5); [DllImport("PowrProf.dll")] public static extern IntPtr EnumPwrSchemes(IntPtr RANDOMSTRING6, IntPtr RANDOMSTRING7); } '@ Function ouBmwjaLNIuXYiiWYYxZt() { return (([regex]::Matches('[Redacted_Base64_String…] ## The Controller – Malicious Portable Executable (PE) ``` The small (~5KB in size) PE loaded into memory proved to be simple, yet effective. The executable is designed to collate a list of actively running processes, then compare them to an obfuscated hardcoded list of CRC64 checksum values of AV and EDR processes names. If any process name directly correlates to an entry in the hardcoded list, an I/O Control (IOCTL) code is sent to the Avast driver, resulting in the termination of the process. Disassembling the sample on Ghidra provides insight into the hashing and comparison functions of the controller: 1. The initial function creates a handle to reference the recently installed Avast driver via the CreateFileW API. If the driver handle returns as valid, the executable calls a function to find and terminate processes. 2. Once inside this function, a snapshot of actively running processes is taken. The function then iterates through the lowercase Unicode representation of processes names and calculates a CRC64 checksum on each of them using the CRC64_ECMA_182 algorithm. ----- 3. The executable then cycles through the hardcoded list of CRC64 checksum values (QWORD_009c2030), each of which represents the name of known AV or EDR processes. In the sample discussed in this article, the hardcoded list contained 119 (0x77) CRC64 checksum values. 4. If the sample finds a match, it calls the Avast process termination function passing the handle of the Avast driver, and the matching process ID. 5. The DeviceIoControl API is called, which sends the 0x9988c094 IOCTL code to the Avast driver, along with the process ID. This results in the Avast driver terminating the process at Kernel level, bypassing tamper protection implemented in most AV and EDR products. ## The Kill – Avast IOCTL Code The aswArPot.sys Avast driver interprets the 0x9988c094 IOCTL code as a signal to terminate a given process. Below are the pieces of the Avast driver disassembled and decompiled for research purposes, which show the method to terminate a process from kernel mode, using KeAttachProcess and ZwTerminateProcess functions: ----- _Figure 1. IOCTL code comparison within Avast driver’s code, which calls its process terminating function_ ----- _Figure 2. Avast driver’s process terminating function_ This IOCTL code and function can be found on multiple versions of the aswArPot.sys Avast driver, including the version distributed on Avast products as of December 2021. However, it was confirmed, through behavioral analysis, that the latest distributed versions of the Avast driver are not susceptible to this abuse. Upon contacting the Avast Bug Bounty team, we have received confirmation that the issue was known and had been resolved by Avast on a February 2021 update of the driver. Furthermore, we have received confirmation that Avast has been in contact with Microsoft to have them invalidate the signature of older versions of the driver. Avast has been informed by Microsoft that a security update on March 2022 would contain the signature update. The specific aswArPot.sys driver utilized by the threat actors in this instance (SHA256: 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1) has the following file version information: ----- Copyright: Copyright (c) 2021 AVAST Software Product: Avast Antivirus Description: Avast Anti Rootkit Original Name: aswArPot.sys Internal Name: aswArPot File Version: 21.1.187.0 Date signed: 2021-02-01 14:09:00 ## The Targets Different implementations of this driver’s abuse, found either on VirusTotal or on the engagements, contain different lists of targeted processes. The smallest PowerShell script implementation targets only one specific process. Three “early” versions of the PE found on VirusTotal contained clear-text strings of the targeted processes, along with the transparently named PDB path “F:\\Source\\WorkNew19\\KillAV\\Release\\KillAV.pdb“. These versions contained 53, 72 and 88 targeted processes with the PE compilation timestamps of October 28, November 2th nd and November 3, 2021, respectively. rd The PE with the longest target list of all, found during the Cuba ransomware incident, contained 110 unique targeted processes (after removing duplicates) represented as CRC64 checksum values. It also contained the newest PE compilation timestamp of all. Utilizing the HashDB API service from OpenAnalysis,3 we were able to recover the clear-text strings corresponding to the hardcoded CRC64 checksums of the latter sample mentioned above. The list contains process names from well-known AV and EDR vendors, which include, amongst others, processes names from SentinelOne, Cylance, Avast, Carbon Black,® ® ® ® Sophos, McAfee, and Malwarebytes . ® ® ® Below is the list of 110 targeted processes found in the latest PE: agentsvc.exe mfemms.exe SophosSafestore64.exe alsvc.exe msmpeng.exe sophosui.exe avastsvc.exe notifier.exe ssdvagent.exe avastui.exe ntrtscan.exe sspservice.exe avp.exe paui.exe svcgenerichost.exe avpsus.exe pccntmon.exe swc_service.exe bcc.exe psanhost.exe swi_fc.exe bccavsvc.exe psuamain.exe swi_service.exe ccsvchst.exe psuaservice.exe tesvc.exe clientmanager.exe remediationservice.exe TmCCSF.exe coreframeworkhost.exe repmgr.exe tmcpmadapter.exe coreserviceshell.exe RepUtils.exe tmlisten.exe cpda.exe repux.exe updaterui.exe cptraylogic.exe savadminservice.exe vapm.exe cptrayui.exe savapi.exe VipreNis.exe cylancesvc.exe savservice.exe vstskmgr.exe ds_monitor.exe SBAMSvc.exe wrsa.exe dsa.exe sbamtray.exe sophossafestore.exe ----- efrservice.exe sbpimsvc.exe sophoslivequeryservice.exe epam_svc.exe scanhost.exe sophososquery.exe epwd.exe sdcservice.exe sophosfimservice.exe hmpalert.exe SEDService.exe sophosmtrextension.exe hostedagent.exe sentinelagent.exe sophoscleanup.exe idafserverhostservice.exe SentinelAgentWorker.exe sophos ui.exe iptray.exe sentinelhelperservice.exe cloudendpointservice.exe klnagent.exe sentinelservicehost.exe cetasvc.exe logwriter.exe sentinelstaticenginescanner.exe endpointbasecamp.exe macmnsvc.exe SentinelUI.exe wscommunicator.exe macompatsvc.exe sepagent.exe dsa-connect.exe masvc.exe sepWscSvc64.exe responseservice.exe mbamservice.exe sfc.exe epab_svc.exe mbcloudea.exe smcgui.exe fsagentservice.exe mcsagent.exe SophosCleanM64.exe endpoint agent tray.exe mcsclient.exe sophosfilescanner.exe easervicemonitor.exe mctray.exe sophosfs.exe aswtoolssvc.exe mfeann.exe SophosHealth.exe avwrapper.exe mfemactl.exe SophosNtpService.exe ## Future Functionality? The PE found during the Cuba ransomware incident also contains a second smaller chunk of CRC64 checksums, which correspond to the names of three specific ransomware executables utilized by Cuba Ransomware: “a.exe”, “anet.exe” and “aus.exe”. These checksums sit next to unutilized strings “/c del“, “>> NUL” and “\\system32\\cmd.exe“. These strings are never referenced. Along with the recent iterations and enhancements on observed versions of this PE, these strings indicate that a potential future version of this executable could include a function to automatically delete the ransomware executables from disk. ## Closing Remarks The capabilities brought to the table by exploiting functionalities of a signed and widely distributed Antivirus piece of software, running under the highest privileges on a system, demonstrates the power of this technique. The sophistication and resources being applied by ransomware groups into new innovative ways to bypass security controls continues to increase. ## IOCs Below is a list of publicly found samples: **File Name** **SHA256 Hash** eset.ps1 8fcfa67e1fde51f7d99c3714f80b7672a0bb0d31c6cafdb5e7670b845d4dee98 A82.exe 4306c5d152cdd86f3506f91633ef3ae7d8cf0dd25f3e37bec43423c4742f4c42 KillAV.exe aeb044d310801d546d10b247164c78afde638a90b6ef2f04e1f40170e54dec03 ----- f68cea99e6887739cd82865f9b973664117af14c1a25d4917eec25ce4b26a381 c5e3b725080712c175840c59a37a5daa.virus ## ATT&CK® Mapping **Execution** T1059.001 – Command and Scripting Interpreter – PowerShell T1106 – Native API T1569.002 – System Services – Service Execution T1204.002 – User Execution – Malicious File **Defense Evasion** T1458.002 – Abuse Elevation Control Mechanism – Bypass User Access Control T1140 – Deobfuscate/Decode Files or Information T1211 – Exploitation for Defense Evasion T1574.010 – Hijack Execution Flow – Service File Permissions Weakness T1562.001 – Impair Defense – Disable or Modify Tools T1036.005 – Masquerading – Match Legitimate Name or Location T1027.001 – Obfuscated Files or Information – Binary Padding T1027.002 – Software Packing T1055.002 – Process Injection – Portable Execution Injection T1218 – Signed Binary Proxy Execution **Discovery** T1057 – Process Discovery _Acknowledgements: Special thanks to Aon’s Cyber Solutions team member, Nhan Huynh, for assistance with revising_ _content and ensuring accuracy._ Authors: Eduardo Mattos and Rob Homewood February 26, 2022 ©Aon plc 2022 This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or IT specialists before implementing any recommendation or following the guidance provided herein. Further, the information provided and the statements expressed are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. 1 How DoppelPaymer Hunts and Kills Windows Processes, https://www.crowdstrike.com/blog/how-doppelpaymer-huntsand-kills-windows-processes 2 Signed Binary Proxy Execution – T1218, https://attack.mitre.org/techniques/T1218/ 3 https://hashdb.openanalysis.net/ -----