Management Consulting

In December 2021, Stroz Friedberg's Incident Response Services team conducted a Digital Forensics and Incident Response (DFIR) investigation following a Cuba ransomware incident. The investigation revealed a novel technique employed by the threat actor group, which involved abusing a function in an Avast® Anti Rootkit kernel driver to terminate various Antivirus (AV) and Endpoint Detection and Response (EDR) processes. This method was particularly alarming as it utilized a signed and valid driver from a reputable antivirus vendor, showcasing a sophisticated approach to bypassing security measures. The attack was executed through a batch script that dropped three files—a batch script, a PowerShell script, and the Avast driver—into the target system's directories. The batch script created and started a new service using the legitimate Avast driver, which was then exploited to terminate AV and EDR processes before the ransomware payload could be executed. The PowerShell script employed multiple layers of obfuscation to decode and execute a malicious controller in memory, which was designed to identify and terminate processes associated with well-known AV and EDR solutions. The controller, a small executable, compared the names of actively running processes against a hardcoded list of checksums corresponding to AV and EDR processes. If a match was found, it sent a specific IOCTL code to the Avast driver, resulting in the termination of the identified process at the kernel level. This technique effectively bypassed the tamper protection mechanisms typically implemented by AV and EDR products. The investigation also highlighted that the specific version of the Avast driver exploited in this incident was confirmed to be vulnerable, but subsequent updates from Avast had addressed the issue. Avast's Bug Bounty team acknowledged the problem and confirmed that they had worked with Microsoft to invalidate the signatures of older driver versions, with a security update scheduled for March 2022 to address these vulnerabilities. The findings from this case study underscore the evolving tactics of ransomware groups and the critical need for continuous updates and vigilance in cybersecurity measures to protect against such sophisticated attacks.