In a classy marketing campaign first noticed in October 2024, attackers have begun leveraging a authentic driver to disable antivirus software program throughout compromised networks.
By abusing the ThrottleStop.sys driver—initially designed by TechPowerUp to handle CPU throttling—the malware beneficial properties kernel‐stage reminiscence entry to terminate safety processes at will.
Preliminary entry is most frequently achieved by means of stolen RDP credentials or brute‐compelled administrative accounts, permitting the adversary to deploy the AV killer alongside ransomware payloads equivalent to MedusaLocker.
Securelist analysts famous that when contained in the community, menace actors extract further person credentials with instruments like Mimikatz and transfer laterally utilizing Cross-the-Hash methods by way of Invoke-WMIExec.ps1 or Invoke-SMBExec.ps1.
Following lateral motion, the attacker uploads two core artifacts—ThrottleBlood.sys (the renamed weak driver) and All.exe (the AV killer)—to person directories equivalent to C:UsersAdministratorMusic.
Home windows Defender and different endpoint safety platforms initially include the ransomware, however the AV killer swiftly terminates their processes, leaving methods defenseless.
The malware’s influence has been extreme, notably in industries with uncovered RDP endpoints. Victims in Brazil, Ukraine, Kazakhstan, Belarus, and Russia have reported widespread encryption of important knowledge, with restoration efforts hampered by disabled protection mechanisms.
Incident stream (Supply – Securelist)
Securelist researchers recognized that conventional self‐protection options in Kaspersky merchandise—equivalent to reminiscence course of safety and registry change monitoring—successfully counter this AV killer, however many organizations stay reliant on much less resilient options.
An infection Mechanism by way of Weak Driver
On the coronary heart of this AV killer lies the exploitation of two weak IOCTL capabilities within the ThrottleStop.sys driver, which enable arbitrary bodily reminiscence reads and writes.
ThrottleStop system driver communication overview (Supply – Securelist)
After loading ThrottleBlood.sys by means of the Service Management Supervisor API, the malware invokes NtQuerySystemInformation with the SystemModuleInformation flag to enumerate loaded modules and find the kernel base handle.
Utilizing a SuperFetch‐primarily based translation library, it converts the digital handle of NtAddAtom right into a bodily handle.
// Instance IOCTL invocation to put in writing kernel reminiscence
DeviceIoControl(hDevice,
0x8010002C, // Weak WRITE_IOCTL
&payload,
payloadSize,
NULL,
0,
&bytesReturned,
NULL);
As soon as the bodily handle is derived, All.exe writes a tiny shellcode stub that jumps to arbitrary kernel capabilities like PsTerminateProcess.
In a steady loop, the malware enumerates processes with Process32FirstW and Process32NextW, matching every towards a hardcoded checklist of antivirus executables—starting from MsMpEng.exe (Home windows Defender) to ekrn.exe (ESET).
Upon discovering a match, it invokes PsLookupProcessById to acquire a deal with after which calls PsTerminateProcess to kill the service.
Kernel code injection (Supply – Securelist)
By restoring authentic kernel bytes after every execution, the AV killer avoids system crashes and evades detection.
This elegant mixture of authentic driver abuse and kernel‐stage code injection underscores the pressing want for driver integrity monitoring and protection‐in‐depth methods, together with strict RDP insurance policies, multi‐issue authentication, and routine vulnerability scanning.
Equip your SOC with full entry to the most recent menace knowledge from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
