Akira ransomware has sought to cripple Microsoft Defender through the exploitation of the legitimate driver for the Intel CPU tuning utility ThrottleStop dubbed 'rwdrv.sys' as part of Bring Your Own Vulnerable Driver attacks observed since mid-July, according to BleepingComputer.
After obtaining kernel-level access by registering the driver as a service, threat actors retrieve and execute the malicious 'hlpdrv.sys' driver to alter Microsoft Defender's DisableAntiSpyware settings, a report from Guidepoint Security researchers revealed. "We are flagging this behavior because of its ubiquity in recent Akira ransomware IR cases. This high-fidelity indicator can be used for proactive detection and retroactive threat hunting," said GuidePoint Security researchers, who were inconclusive about the zero-day exploitation in Akira's attacks against SonicWall VPNs. Another analysis from The DFIR Report revealed that trojanized IT software installers had been leveraged by Akira ransomware to distribute Bumblebee malware loader, which deploys the AdaptixC2 tool for persistence, before conducting reconnaissance leading to primary payload delivery.
After obtaining kernel-level access by registering the driver as a service, threat actors retrieve and execute the malicious 'hlpdrv.sys' driver to alter Microsoft Defender's DisableAntiSpyware settings, a report from Guidepoint Security researchers revealed. "We are flagging this behavior because of its ubiquity in recent Akira ransomware IR cases. This high-fidelity indicator can be used for proactive detection and retroactive threat hunting," said GuidePoint Security researchers, who were inconclusive about the zero-day exploitation in Akira's attacks against SonicWall VPNs. Another analysis from The DFIR Report revealed that trojanized IT software installers had been leveraged by Akira ransomware to distribute Bumblebee malware loader, which deploys the AdaptixC2 tool for persistence, before conducting reconnaissance leading to primary payload delivery.
