In a sophisticated cyberattack campaign first identified in October 2024, malicious actors have been leveraging legitimate drivers to disable antivirus (AV) software, thereby compromising system defenses. This method involves exploiting the ThrottleStop.sys driver, originally developed by TechPowerUp for CPU throttling management, to gain kernel-level access and terminate security processes.
Initial Access and Lateral Movement
Attackers typically gain initial access through stolen Remote Desktop Protocol (RDP) credentials or by brute-forcing administrative accounts. Once inside the network, they deploy tools like Mimikatz to extract additional user credentials and utilize Pass-the-Hash techniques via scripts such as Invoke-WMIExec.ps1 or Invoke-SMBExec.ps1 to move laterally across the network.
Deployment of Malicious Components
After establishing a foothold, the adversaries upload two primary components to user directories like `C:\Users\Administrator\Music`:
1. ThrottleBlood.sys: A renamed version of the vulnerable ThrottleStop.sys driver.
2. All.exe: The AV killer executable designed to disable security software.
These components work in tandem to neutralize antivirus defenses, paving the way for further malicious activities.
Mechanism of Antivirus Disabling
The core of this attack lies in exploiting two vulnerable Input/Output Control (IOCTL) functions within the ThrottleStop.sys driver, which allow for arbitrary physical memory reads and writes. By loading ThrottleBlood.sys through the Service Control Manager API, the malware enumerates loaded modules to locate the kernel base address. It then translates the virtual address of critical functions like `NtAddAtom` into physical addresses using a SuperFetch-based translation library.
Subsequently, the malware writes a small shellcode stub that jumps to kernel functions such as `PsTerminateProcess`. It continuously enumerates running processes, matching them against a hardcoded list of antivirus executables, including `MsMpEng.exe` (Windows Defender) and `ekrn.exe` (ESET). Upon identifying a match, it terminates the corresponding process, effectively disabling the antivirus protection.
Impact and Observations
The impact of this attack has been significant, particularly in industries with exposed RDP endpoints. Victims in countries such as Brazil, Ukraine, Kazakhstan, Belarus, and Russia have reported widespread encryption of critical data, with recovery efforts hindered by the disabled defense mechanisms.
Researchers have noted that traditional self-defense features in some security products, like memory process protection and registry change monitoring, can effectively counter this AV killer. However, many organizations continue to rely on less resilient solutions, leaving them vulnerable to such sophisticated attacks.
Recommendations for Mitigation
To protect against this type of attack, organizations should consider the following measures:
1. Regularly Update and Patch Systems: Ensure that all software, including drivers, are up-to-date to mitigate known vulnerabilities.
2. Implement Strong Access Controls: Enforce strict access policies, including the use of multi-factor authentication, to prevent unauthorized access.
3. Monitor for Unusual Activity: Utilize advanced monitoring tools to detect and respond to anomalous behavior promptly.
4. Employ Defense-in-Depth Strategies: Layer security measures to provide multiple barriers against potential attacks.
5. Educate Employees: Conduct regular training sessions to raise awareness about phishing attacks and other common intrusion methods.
By adopting these practices, organizations can enhance their resilience against attacks that exploit legitimate drivers to disable antivirus protections.
