New Malware Uses Legitimate Antivirus Driver to Bypass All System Protections

In a concerning development, cybersecurity researchers at Trellix have uncovered a sophisticated malware campaign that exploits a legitimate antivirus driver to bypass system protections.

The malware, identified as “kill-floor.exe,” leverages the Avast Anti-Rootkit driver (aswArPot.sys) to gain kernel-level access, effectively neutralizing security software and taking control of infected systems.

This tactic highlights the growing trend of “Bring Your Own Vulnerable Driver” (BYOVD) attacks, where attackers weaponize trusted but flawed drivers to execute malicious activities.

Infection Chain and Exploitation

The infection begins with the malware dropping the Avast Anti-Rootkit driver in a Windows directory under the guise of a legitimate file named “ntfs.bin.”

Using the Service Control utility (sc.exe), the malware registers the driver as a service, granting it unrestricted kernel-level privileges.

This access allows it to terminate critical security processes, disable endpoint detection and response (EDR) solutions ...