Hackers are always innovating when it comes to launching malware attacks . Either to steal money or sensitive information from their victims. And it is that, although we have antivirus protection on our computers, this attack against Windows can completely knock down the Microsoft software protection system.
In fact, this time, it has been. Basically, because hackers have found an effective way to disable certain antivirus on Windows computers , which opens the door for them to deploy all kinds of malware on those PCs that have been left without protection. In addition to this, we will tell you what are the recommendations of security experts and Microsoft.
The malware that disables an antivirus
Over the past year, the cybersecurity company AhnLab Security discovered up to two such attacks. In these, they tested two vulnerabilities in the Sunlogin program , a remote control software that has been developed in China. The problem comes when two remote code execution vulnerabilities have been discovered: CNVD-2022-10270 and CNVD-2022-03672. These vulnerabilities, which have been found in this remote control program, are present in Sunlogin v11.0.0.33 and earlier .
In this way, it is achieved by implementing an encrypted PowerShell script that deactivates the protection program of Windows devices, in this case, the antivirus that is currently enabled on the computer. Basically, those PowerShell scripts manage to decode a portable .NET executable, a modified open source Mhyprot2DrvControl program that uses vulnerable Windows drivers to gain kernel-level privileges. Basically, the developer of Mhyprot2DrvControl uses the escalated privileges via mhyprot2.sys.
Also, once attackers are able to completely disable antivirus on a Windows computer, they have a new purpose: to install whatever malware they want. Either to steal private data (bank information, user information…) or for any other reason, such as spying on the victims. On different occasions, they even installed malware such as Sliver, Gh0st RAT (remote access Trojan) or even software with which to mine XMRig cryptocurrencies .
Use the BYOVD technique
This method that has been used is known as BYOVD (Bring Your Own Device), a way of talking about the fact of using personal devices to access the resources of your company or work. To prevent just this, Microsoft recommends that Windows administrators enable the Vulnerable Driver Blocklist in order to protect against BYOVD attacks.
And not only do we find this recommendation from Microsoft , but the cybersecurity experts from AhnLab Security make it clear to us that, if we are using this program on our Windows PC, we not only have to update the software to have the security patch that prevent them from exploiting these two vulnerabilities, it is also recommended to update the operating system. In this way, we will be able to avoid falling into the trap of these hackers and, above all, we will not have to deal with this particular malware.