Threat actors register a driver as a service to gain kernel-level access.
Operators of the Akira ransomware have targeted Microsoft Defender via a legitimate Intel CPU tuning driver which disables the tool.
According to a research from Guidepoint Security and published by BleepingComputer, the abused driver is ‘rwdrv.sys’ (used by ThrottleStop), which the threat actors register as a service to gain kernel-level access. Once they have access, threat actors retrieve and execute the malicious ‘hlpdrv.sys’ driver to alter Microsoft Defender’s DisableAntiSpyware settings.
“We are flagging this behaviour because of its ubiquity in recent Akira ransomware IR cases. This high-fidelity indicator can be used for proactive detection and retroactive threat hunting,” said GuidePoint’s researchers.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show.
Outside work, Dan supports Tottenham Hotspur, manages mischievous cats, and samples the finest craft beers.
