Russian Hackers Disable Antivirus Software to Conceal Attacks
A new cybercriminal group has emerged on the Russian internet, targeting corporate networks by disabling antivirus protection after gaining access. This tactic is used to hide their malicious activities from security systems. Experts from Solar Group have reported such attacks in the industrial manufacturing sector.
How the Attacks Work
The attackers exploit vulnerabilities to break into systems and deploy tools that disable security solutions. In one case, they took advantage of internet access to DameWare Mini Remote Control software; the relevant port had apparently remained open since the COVID-19 pandemic. After breaching the system, the attackers placed malware in the directory of the Kaspersky antivirus administration agent and used it to neutralize the protection.
Analysis of the malware sample revealed a function to disable the MiniFilter mechanism, which many antivirus solutions use to collect data on file system operations in Windows and analyze program behavior.
Technical Details of the Attack
During the attack on Windows, the malicious driver created its own mini-filter and replaced the original, blocking the security product from monitoring the system. Kaspersky Lab was notified of the incident, and they improved their self-defense mechanisms and released updates.
Another incident involved hackers disabling antivirus protection due to improper interaction between Windows and driver digital signatures. As a result, the victim’s IT infrastructure was rendered inoperable.
Expert Recommendations
“Recently, attackers are increasingly using tools that allow them to disable and bypass security solutions from various vendors,” notes Dmitry Marichev, an expert at Solar 4RAYS. “The approaches and technical implementations differ only in details, such as the names of component files. To promptly stop such attacks, it is necessary to regularly check the operability of security solutions installed in the infrastructure and monitor whether they are sending telemetry. Additionally, it is important to periodically conduct compromise assessments, which significantly increases the chances of detecting an attack before serious consequences occur.”