Hackers are always reinventing themselves when it comes to launching malicious attacks or stealing money or confidential information from victims. Even if your computer has antivirus protection, this attack on Windows can completely disable the protection system of Microsoft’s software. Actually, it was like that this time too. Mainly because hackers have found an effective way to disable certain antivirus on Windows computers, which has opened the door to the distribution of all kinds of malware on unprotected PCs. Beyond that, we’ll let you know what security experts and Microsoft’s recommendations are.
Malware that disables your antivirus
In the last year, the cybersecurity firm AhnLab Security has detected as many as two such attacks. In it, they tested two vulnerabilities in Sunlogin, a remote administration software developed in China. This problem occurs when two remote code execution vulnerabilities, CNVD-2022-10270 and CNVD-2022-03672, are discovered. These vulnerabilities found in this remote-control program exist in Sunlogin v11.0.0.33 and earlier versions.
So, this is accomplished by implementing an encrypted PowerShell script that disables the Windows device protection program (in this case, the antivirus currently active on the computer). Essentially, these PowerShell scripts decode a portable .NET executable that is a modified open source program, Mhyprot2DrvControl, which uses a vulnerable Windows driver to gain kernel-level privileges. By default, Mhyrot2DrvControl developers use elevated privileges via mhyprot2.sys.
Moreover, once attackers are able to completely disable antivirus on Windows systems, they have a new target to install the desired malware. For other reasons, such as stealing personal data (bank details, user data…) or spying on victims. In other cases, they have also installed malware such as Sliver, Gh0st RAT (remote access Trojan) or the cryptocurrency mining software XMRig.
Employing the BYOVD technique
This method, as it has been used so far, is known as Bring Your Own Device (BYOVD) and is a way of referring to the fact that you use your personal device to access company or work resources. To prevent this, Microsoft recommends that Windows administrators enable a blacklist of vulnerable drivers to protect against BYOVD attacks.
And not only do you find this recommendation from Microsoft, the cybersecurity experts at AhnLab Security advise that if you use this program on your Windows PC, you should update your software to install security patches as well as update your operating system to avoid exploiting these two vulnerabilities. This way, we can avoid falling into these hacker traps and, most importantly, we do not have to deal with this particular malware.