A malicious campaign was recently observed that uses a legitimate, but outdated, Avast anti-rootkit driver and then manipulates it to terminate security processes, disable protective software, and seize control of an infected system.
In a Nov. 20 blog post, Trellix researchers said instead of using a specially crafted driver to perform its malicious activities, the malware uses a trusted kernel driver, giving it an air of legitimacy, which lets it avoid raising alarms while preparing to undermine the system’s defenses.
The Trellix researchers said what makes this campaign especially alarming is the level of trust associated with kernel-mode drivers: they are designed to protect the system at its core — which, in this case, has been turned into tools that conduct malicious activities.
The exploitation of these types of vulnerabilities illustrates the relentless creativity of hackers, said T. Frank Downs, senior director of proactive services at BlueVoyant. Downs said the bad actors often capitalize on companies that leave themselves open to attack by using outdated tools.
“Security teams can detect these types of attacks, but it can be challenging due to the deceptive nature of this type of malware, which leverages a legitimate, but outdated driver,” said Downs. “This driver might typically be trusted by the system, making detection more difficult. Ideally, companies should not rely on such outdated components or at least recognize the security risks they present.”
Downs said organizations can fortify their security against such attacks through implementing several measures, such as regular system and software patching, and careful blacklisting to prevent the installation of outdated drivers. Additionally, Downs said the implementation of a comprehensive vulnerability management program that proactively identifies, prioritizes, and addresses vulnerabilities offers even greater protection from these types of incidents.
Jason Soroko, senior fellow at Sectigo, said this campaign highlights an urgent need for enhanced detection strategies to monitor and block the use of outdated or vulnerable drivers. Soroko said this “bring-your-own-vulnerable-driver” (BYOVD) strategy lets the malware manipulate kernel-level privileges, enabling it to terminate security processes, disable protective software, and hijack the system with alarming efficiency.
“What sets this apart is the malware’s use of a hardcoded list of 142 security processes from major vendors, including Microsoft Defender, Symantec, and Trend Micro, which it systematically disables,” said Soroko. “The attack demonstrates the dangerous potential of repurposing trusted components of the operating system, exploiting their kernel-level access to override tamper protection.”
Sarah Jones, cyber threat intelligence research analyst at Critical Start, added that the "kill-floor.exe" malware exemplifies a critical vulnerability in cybersecurity: the exploitation of trusted historical tools. Jones said threat actors skillfully weaponize deprecated system components, transforming established security infrastructure into a conduit for system penetration. This approach reveals a profound understanding of organizational blind spots, where the assumption of vendor-managed security creates critical gaps.
“Many organizations rely on brand-name software, believing vulnerabilities are solely the vendor's responsibility,” said Jones. “However, as software ages, vendors often cease critical updates, shifting the burden of maintenance to the end-user. This disconnect creates fertile ground for sophisticated threat actors who meticulously identify and exploit outdated system components.”
