However, and specific to this instance, the attempt to kill an anti-virus product such as this variant’s TaskKill can also be foiled.
Microsoft hosted network adapter download driver#
In this case, the attackers were able to study and use Avast’s driver as part of their arsenal to disable other vendors’ security products. Once inside, the continuing trend of abusing legitimate tools and functions to mask malicious activities and actors’ presence grows in sophistication. Similar to previously documented malware and ransomware groups, AvosLocker takes advantage of the different vulnerabilities that have yet to be patched to get into organizations’ networks. Other modern ransomware, such as Mespinoza/Pysa, modify the registries of infected systems during their respective routines to inform their victims that they have been compromised. This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice. In addition, aside from its availability, the decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege). We think the same can be said for the software deployment tool, wherein the malicious actors can subsequently decide to replace and abuse it with other commercially available ones. While AvosLocker has been documented for its abuse of AnyDesk for lateral movement as its preferred application, we note that other remote access applications can also be abused to replace it.