CYBERSECURITY

An “antivirus killer” is a colloquial term used to describe malicious software designed to disable or interfere with the functionality of antivirus software on a computer or device. These programs aim to bypass or neutralize the security measures put in place by antivirus programs, leaving the system open to other malware infections.

What IT Do

RealBlindingEDR is an open-source tool designed to disable endpoint detection and response (EDR) products.

An EDR (Endpoint Detection and Response) vendor gives security solutions that focus on protecting endpoints like computers and servers from cyber threats. These vendors offer tools that monitor endpoint activity, detect suspicious behavior, and help with incident response. EDR solutions are crucial for organizations to address the increasing sophistication and frequency of cyberattacks. 

RealBlindingEDR tools may achieve this by:

Disabling real-time protection: Preventing the antivirus from scanning files and processes as they are accessed.

Interfering with updates: Blocking the antivirus’s ability to download and install new definition files, leaving it vulnerable to new threats.

Altering settings: Modifying the antivirus’s configuration to allow malware to run or spread.

Deleting or corrupting files: Damaging the antivirus software itself or its associated files.

How IT Do IT

RealBlindingEDR achieves this by disabling kernel-level hooks and callbacks utilized by EDR solutions to monitor system activity. 

• Targets specific EDR vendors: RealBlindingEDR has a hardcoded list of EDR vendors it targets, including well-known names like Sophos, Trend Micro, Kaspersky, Malwarebytes, and others.
• Disables callbacks: The tool identifies the security company’s name through driver metadata and, if a match is found on the hardcoded list, proceeds to disable critical callbacks used by the EDR product. These callbacks are essential for the EDR to function effectively and monitor for threats.
• Implementation: By disabling these callbacks, RealBlindingEDR essentially “blinds” the EDR, rendering it incapable of detecting and responding to malicious activity. This can also lead to the EDR being permanently disabled or even terminated. 

In essence, RealBlindingEDR acts as an EDR-bypass tool used by attackers (and sometimes in red team exercises*) to create a window of opportunity to execute further malicious activities without being detected by endpoint security solutions. It’s crucial to understand that such tools require elevated privileges (administrator access) to operate and are not used as an initial infection vector. 

RealBlindingEDR Today

Security researchers of Trend Micro have found an antivirus-killing tool out there that hackers are using before dropping any additional payloads. Experts have uncovered custom variant of RealBlindingEDR.

This tool comes with a hardcoded list of antivirus company names:

• Trend Micro
• Kaspersky
• Sophos
• SentinelOne
• Malwarebytes
• Cynet
• McAfee
• Bitdefender
• Broadcom (Symantec)
• Cisco
• Fortinet
• Acronis

When it is placed on a device, it looks for these names in driver metadata, and if it finds one, it disables kernel-level hooks/callbacks, essentially blinding detection engines. Trend Micro’s researchers found the hackers are also able to silently uninstall antivirus programs altogether, opening the doors and enabling easy deployment of stage-two malware.

Crypto24

The tool was seen while being used by a hacking collective called Crypto24, a nascent ransomware group first spotted in September 2024. However, the researchers believe the group consists of former members of other, defunct hacking collectives, since its members are highly skilled and experienced.

History

This protocol was seen in June of 2010 by BitDefender, a provider of internet security solutions, referring to it as  Backdoor.MSIL.Bot.A. This “trojan” could run on any machine with the .NET framework installed presenting a series of threats designed to disable antivirus software and capture user data. This malware had the potential to attack all the systems running on the Windows platform.

Here’s the breakdown of Backdoor.MSIL.Bot.A:

Backdoor: This indicates that the malware creates a hidden entry point into an infected system, allowing unauthorized remote access and control by an attacker.

MSIL: This specifies the platform or framework that the malware targets or was built with, in this case, Microsoft Intermediate Language (MSIL). This is commonly associated with applications developed using the .NET framework.

Bot: This suggests that the backdoor may be used to turn the compromised computer into a “bot” or “zombie” that can be controlled as part of a botnet. Botnets are networks of infected computers used for various illicit activities, including sending spam, launching denial-of-service attacks, and distributing other malware.

A: This typically represents a specific variant or version within the larger malware family. 

CVE-2022-26522 and CVE-2022-26523 were identified through a combination of vulnerability analysis and exploitation attempts. Specifically, researchers at SentinelOne Labs discovered these vulnerabilities in Avast and AVG antivirus software. The vulnerabilities, related to out-of-bounds reads and privilege escalation, were found within the driver components of the software. The researchers identified the vulnerable code paths through reverse engineering and analysis of the driver’s functionality. Additionally, the public disclosure of exploit code and the subsequent addition of these CVEs to CISA’s Known Exploited Vulnerabilities Catalog indicated active exploitation. 

Here’s the breakdown:

Vulnerability Analysis:Researchers at SentinelOne Labs analyzed the Avast and AVG drivers, specifically focusing on potential vulnerabilities in how they handle user input and memory allocation. 

Discovery of Out-of-Bounds Read:They identified an out-of-bounds read vulnerability in a function responsible for handling user-controlled data, specifically within a specific handler in the driver. 

Privilege Escalation:Another vulnerability allowed a local attacker to escalate privileges due to a double fetch of the Length field from a user-controlled pointer. 

Public Exploits and CISA’s Catalog:After the initial discovery, proof-of-concept exploits were developed and made publicly available, leading to CISA adding these vulnerabilities to their Known Exploited Vulnerabilities Catalog. This action indicates that there was evidence of active exploitation in the wild. 

Detection and Mitigation:The vulnerabilities were addressed in later versions of the Avast and AVG software. Detection of exploitation attempts often involves analyzing network traffic for specific patterns or signatures associated with the vulnerable code paths. 

CVE-2022-26522 and CVE-2022-26523 were still being detected in 2024 with the campaign employing a bring-your-own-vulnerable-driver (BYOVD) tactic, allowing attackers to exploit the Avast Anti-Rootkit driver (aswArPot.sys) to infiltrate devices and deactivate security tools. It included a hardcoded list of 142 security processes from various vendors, which it targets to disable protections.

CVE-2022-26522 and CVE-2022-26523 affected Avast and AVG antivirus products. These vulnerabilities were addressed by Avast and AVG through the release of security updates. 

According to Avast, the vulnerable feature was introduced in Avast 12.1. Given the longevity of this flaw, meaning that millions of users were likely exposed. Avast 12.1 was released in early 2012.

*Red team exercises are simulated cyberattacks used to assess and improve an organization’s security posture.