In a highly sophisticated cyberattack campaign that launched in October 2024, attackers have been found leveraging the ThrottleStop.sys driver to compromise antivirus systems across various networks. This legitimate driver, originally developed by TechPowerUp for CPU throttling management, is being exploited to gain kernel-level memory access, allowing the termination of critical security processes.
Initial Access and Propagation
Cybersecurity experts observed that initial network incursion often results from stolen Remote Desktop Protocol (RDP) credentials or brute-forcing of administrative accounts. Once infiltrated, the attackers deploy their AV killer tool alongside ransomware strains like MedusaLocker. Utilizing tools such as Mimikatz, they extract user credentials and employ Pass-the-Hash techniques to move laterally, effectively spreading the threat across networks using PowerShell scripts like Invoke-WMIExec.ps1 and Invoke-SMBExec.ps1.
The attackers then introduce key malicious components: a rebranded vulnerable driver, ThrottleBlood.sys, and an antivirus-killing application, All.exe. The targeted systems, even those equipped with robust protection platforms like Windows Defender, find their defenses neutralized as these components proceed to terminate processes rapidly, leaving systems vulnerable to further exploits.
Technical Exploits and Target Impacts
At the core of this threat is the exploitation of IOCTL functions in the ThrottleStop.sys driver, facilitating arbitrary memory manipulation. By loading ThrottleBlood.sys via the Service Control Manager API, the malware enumerates system modules, identifying the kernel base address. Through a sophisticated address translation process, any physical address can be derived and manipulated.
With this capability, All.exe writes a kernel-mode shellcode stub, repeatedly enumerating processes while matching them against a hardcoded array of AV executables, like MsMpEng.exe from Windows Defender and ekrn.exe from ESET. Using functions such as PsTerminateProcess, it systematically disables each identified security service, ensuring ongoing system vulnerability.
This attack has notably impacted organizations in Brazil, Ukraine, Kazakhstan, Belarus, and Russia, leading to widespread data encryption and significant disruption of recovery efforts due to disabled defenses.
Strategies for Mitigation
This rising trend of legitimate driver misuse and complex kernel-level code injection highlights an urgent need for enhanced cybersecurity measures. Security professionals advocate for the implementation of driver integrity monitoring, combined with comprehensive defense-in-depth strategies. These include enforcing strict policies, adopting multi-factor authentication, and performing routine vulnerability assessments.
Although some antivirus solutions, such as Kaspersky, provide self-defense mechanisms like memory process protection and registry change monitoring, many organizations continue to depend on less effective tools, which may not withstand this level of aggressive cyber assault.
