The new tool IAmAntimalware, launched by developer Two Seven One Three on 2025-10-11 via GitHub, manipulates popular antivirus software by injecting malicious code into their processes through advanced techniques.
Cloning Techniques and API Manipulation
IAmAntimalware mimics Windows services by cloning them and imitates digital signatures to bypass antivirus self-protection. The tool hijacks the Windows Cryptography API provider registry key at HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider, allowing unapproved DLLs to be injected where trusted modules should be.
The tool requires user input for parameters such as service names and certificate paths, and supports Protected Process Light (PPL) via an optional P flag. Alternative methods include manipulating COM object CLSIDs, but this requires TrustedInstaller privileges.
Certification Cloning and System Impact
IAmAntimalware uses the CertClone tool to replicate valid Windows certificates, making injected modules appear legitimate. This bypasses protections like process introspection and code signing verification, allowing unauthorized file access or command execution in protected directories.
The developer demonstrated the technique on antivirus services like Bitdefender BDProtSrv, with partial success observed in tests with Trend Micro and Avast. Although it requires system access, exposing no zero-day vulnerabilities, the technique highlights potential flaws in antivirus trust models.
Mitigation Measures and Analysis
Security analysts suggest that while the tool showcases weaknesses, it poses a medium severity risk due to the necessary system access. To counteract these threats, monitoring unexplained module loads, enforcing strict certificate trust policies, applying PPL diligently, regularly verifying antivirus integrity, and deploying endpoint detection with behavioral analytics are recommended.
