Malvertising Campaign Exploits Tax Season to Deploy BYOVD EDR Killer: A Technical Deep Dive + Video

Listen to this Post

Featured Image

Introduction:

Cybercriminals are leveraging the annual tax filing frenzy to deploy sophisticated attacks that bypass traditional security controls. A recent malvertising campaign, reported by Huntress, demonstrates how threat actors use malicious Google Ads impersonating tax forms (W-2/W-9) to deliver a rogue ScreenConnect installer, followed by a Bring Your Own Vulnerable Driver (BYOVD) attack to disable endpoint detection and response (EDR) tools. This technique allows attackers to gain a persistent foothold, disable defenses, and prepare the network for ransomware deployment.

Learning Objectives:

  • Understand the anatomy of a BYOVD attack and how it exploits signed but vulnerable drivers to terminate security processes.
  • Learn to identify malicious malvertising tactics and analyze rogue remote management tool installers.
  • Implement detection and mitigation strategies, including driver blocklists, EDR hardening, and network segmentation.

You Should Know:

  1. The Attack Flow: From Malvertising to EDR Termination
    The campaign begins with threat actors purchasing Google Ads that impersonate legitimate tax form downloads. When a victim searches for terms like “W-2 form” or “W-9 form,” a malicious ad appears at the top of search results, leading to a spoofed site hosting a rogue ScreenConnect installer. ScreenConnect, a legitimate remote desktop tool, is repurposed here as a backdoor.

Once the installer is executed, the attacker gains remote access and proceeds with the BYOVD phase. A vulnerable, signed kernel driver (often a legitimate driver with known security flaws) is dropped and loaded via the `sc.exe` or `net start` commands. This driver is then exploited to terminate processes associated with EDR and antivirus solutions by directly interacting with the Windows kernel, bypassing user-mode hooks.

Step-by-step guide explaining what this does and how to use it:
– Detection of Malicious Process Tree: Monitor for instances where `rundll32.exe` or `msiexec.exe` spawns a child process executing a ScreenConnect client from a temporary directory (%TEMP%).
– ScreenConnect Analysis: Examine the downloaded installer. A malicious variant may contain embedded scripts or a configuration pointing to an attacker-controlled server. Use tools like `strings` or a hex editor to extract the server URL.
– Driver Load Monitoring: Utilize Windows Event Logs (Event ID 7045 under System) to track new service installations. A sudden installation of a driver with a suspicious or obscure name is a red flag. Command: Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} | Where-Object { $_.Message -like "driver" } | Select-Object -First 10 -Property TimeCreated, Message.

2. Identifying Malicious Tax-Themed Google Ads

The initial vector relies on user interaction with a fraudulent advertisement. These ads often use similar branding to legitimate tax software companies like Intuit or H&R Block, but the destination URL reveals the deception. Threat actors use URL shorteners and typosquatting domains to evade initial scrutiny.

Step-by-step guide explaining what this does and how to use it:
– User Education: Train users to hover over ad links to inspect the full URL before clicking. Look for misspelled domain names (e.g., hrbl0ck[.]com) or domains registered recently.
– Ad Blockers: In a corporate environment, enforce the use of DNS-based filtering or browser extensions to block advertisements entirely, reducing exposure to malvertising.
– Network Log Analysis: Review proxy logs for connections to newly registered domains associated with tax keywords. Use `grep` on Linux or `Find-String` in PowerShell to isolate these entries from firewall logs.

3. Analyzing the Rogue ScreenConnect Installer

ScreenConnect (now ConnectWise Control) is a legitimate remote access tool. In this attack, its legitimate binaries are repurposed. The installer may be modified to run silently or to disable the system’s ability to uninstall the tool easily. The goal is to establish persistent remote access without raising immediate alarms.

Step-by-step guide explaining what this does and how to use it:
– Static Analysis: Extract the installer and inspect its manifest. Use `sigcheck` from Sysinternals to verify digital signatures. A legitimate ScreenConnect installer should be signed by ConnectWise. If the signature is missing or invalid, treat it as malicious.
– Command-Line Auditing: Enable PowerShell logging and command-line auditing via Group Policy. Attackers often use the ScreenConnect client with command-line arguments to establish a relay connection. Look for instances of `ScreenConnect.ClientService.exe` with unusual arguments.
– Linux Analysis (for cross-platform infrastructure): If the attacker uses a Linux C2 server, analyze the server logs for POST requests containing `screenconnect` in the user-agent. Use `grep` to filter Apache/Nginx logs: grep "ScreenConnect" /var/log/nginx/access.log.

4. Detecting and Blocking BYOVD Attacks

BYOVD attacks exploit a design flaw: Windows allows signed drivers to load with kernel-level privileges. The mitigation involves maintaining a blocklist of known vulnerable drivers and monitoring for unusual driver load events. Microsoft provides a “Vulnerable Driver Blocklist” that can be enabled via Windows Defender Application Control (WDAC) or the Microsoft Defender for Endpoint attack surface reduction rules.

Step-by-step guide explaining what this does and how to use it:
– Enable Driver Blocklist: In Windows 10/11, navigate to Windows Security > Device Security > Core Isolation. Ensure “Memory Integrity” is on and enable “Microsoft Vulnerable Driver Blocklist” via the registry or Group Policy.
– Manual Driver Hunt: Use `pnputil /enum-drivers` to list all third-party drivers installed. Cross-reference this list with known vulnerable driver hashes from sources like the LOLDrivers project.
– Real-Time Monitoring: Deploy a custom detection rule in your SIEM that triggers when a driver is loaded and then immediately followed by `taskkill` or `TerminateProcess` API calls targeting MsMpEng.exe, SenseCE.exe, or other EDR processes.

5. Defending EDR and Antivirus Solutions

Once the vulnerable driver is loaded, attackers can use tools like `Terminator` (a public BYOVD tool) to terminate security processes. EDR solutions must be hardened against this by enabling tamper protection, which prevents administrative users from stopping the service or unloading drivers.

Step-by-step guide explaining what this does and how to use it:
– Enforce Tamper Protection: In Microsoft Defender, enable “Tamper Protection” to prevent unauthorized changes to security settings. For third-party EDR, ensure the console’s tamper protection feature is active and cannot be disabled locally without a valid token.
– Monitor for `net stop` Commands: Log and alert on `net stop` and `sc stop` commands targeting security services. Attackers often attempt to stop services like `WinDefend` or `Sense` before loading the driver.
– Linux Defenders: If the attack targets Linux endpoints as part of a multi-platform ransomware deployment, monitor for `rmmod` and `modprobe -r` commands used to remove security modules. Use `auditd` to track these events.

6. Incident Response and Ransomware Prevention

The ultimate goal of this campaign is likely ransomware deployment. After terminating EDR, the attacker has free rein to enumerate the network, dump credentials, and move laterally. The window between EDR termination and ransomware execution is critical for incident response.

Step-by-step guide explaining what this does and how to use it:
– Isolate the Host: Immediately block network communication for the affected endpoint. On Linux, use `iptables -A OUTPUT -j DROP` to cut outbound traffic. On Windows, use `netsh advfirewall set allprofiles state on` followed by a script to block all traffic except to the management subnet.
– Forensic Collection: Preserve the vulnerable driver file from C:\Windows\System32\drivers\. Capture the memory of the system using `DumpIt` or `FTK Imager` before rebooting, as many EDR-killing processes reside in memory.
– Log Analysis: Centralize logs from all endpoints to identify if the driver was loaded elsewhere. Search for the driver hash across the environment using a hunting query: DeviceFileEvents | where FileName endswith ".sys" and SHA256 == "known_bad_hash".

What Undercode Say:

  • Key Takeaway 1: The intersection of malvertising and BYOVD represents a significant escalation in attack sophistication, leveraging user trust in search engines to bypass network perimeters.
  • Key Takeaway 2: Traditional antivirus is ineffective against this attack chain, as it uses signed components (a vulnerable driver) and legitimate tools (ScreenConnect) to carry out the compromise.
  • Key Takeaway 3: Organizations must move beyond simple antivirus and implement application control, driver blocklists, and strict logging of driver installation events to detect these attacks in their early stages. The campaign highlights the critical need for security operations centers to monitor for process termination attempts as a primary indicator of compromise.

Prediction:

The use of BYOVD will become a standard component in ransomware playbooks, particularly targeting sectors with high-stakes deadlines like tax preparation and healthcare. As Microsoft improves its vulnerable driver blocklist, attackers will shift to finding and exploiting new, unpatched drivers, creating an arms race between security vendors and threat actors. Future campaigns will likely combine AI-generated ad copy to make malvertising more convincing and automated driver selection based on the target’s specific EDR software. The long-term solution requires operating system-level changes to restrict driver loading to an explicit allowlist rather than a blocklist of known bad drivers.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Varshu25 Malvertising – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky