Posted in

Tax-Themed Google Ads Deliver BYOVD EDR Killer in Malvertising Campaign

by Rakesh0

A large-scale malvertising campaign is abusing tax-season urgency to deploy a kernel-mode EDR killer through malicious sponsored search results. The operation uses fake tax form pages to trick users into installing remote access software, ultimately disabling security defenses and preparing systems for follow-on attacks. ⚠️

Researchers at Huntress traced the campaign to rogue ads targeting users searching for W-2 and W-9 forms.

How the Attack Starts

The infection chain begins with a search on Google for tax forms. Sponsored ads redirect victims to fake compliance portals mimicking official documentation pages.

Initial Infection Flow

  1. User searches for W-2 or W-9 forms
  2. Sponsored ad leads to malicious domain
  3. Redirect to fake tax form download page
  4. Download of rogue ScreenConnect installer
  5. Remote access established

The attacker distributes a malicious installer disguised as a tax form download.

Abuse of Legitimate Remote Tool

The campaign leverages ScreenConnect, a legitimate remote management tool, to gain hands-on keyboard access.

Because the software is trusted, victims install it without suspicion, allowing attackers to:

  • Take full remote control
  • Execute commands
  • Deploy additional payloads
  • Maintain persistence

Multi-Stage Payload Deployment

After access is established, attackers deploy layered malware.

Payload Stack

  • FatMalloc crypter
  • Backup remote tools
  • HwAudKiller EDR killer
  • Credential dumping utilities

This multi-stage approach ensures defense evasion and persistence.

BYOVD EDR Killer

The final payload, HwAudKiller, uses a signed driver from Huawei to terminate security tools from kernel mode.

Targeted Security Tools

  • Microsoft Defender
  • Kaspersky
  • SentinelOne

By operating in kernel mode, the malware bypasses user-mode protections entirely.

Inside the FatMalloc Crypter

FatMalloc uses multiple evasion techniques.

Evasion Techniques

  • Allocates 2GB memory to break sandbox analysis
  • Uses multimedia timer callbacks for execution
  • Avoids direct thread creation detection
  • XOR decrypts payload in memory
  • Decompresses final payload

These tactics make detection significantly harder.

Kernel Driver Abuse

The EDR killer drops a signed driver and registers it as a system service.

Driver Capabilities

  • Kernel-level process termination
  • Continuous monitoring of running processes
  • Rapid killing of security tools
  • IOCTL-based communication

This technique is known as Bring Your Own Vulnerable Driver (BYOVD).

Post-Exploitation Activity

Once defenses are disabled, attackers perform credential harvesting.

Observed Actions

  • LSASS credential dumping
  • Network enumeration
  • Account harvesting
  • Lateral movement preparation

These behaviors align with pre-ransomware activity.

Additional Campaign Infrastructure

Researchers discovered:

  • Fake Chrome update pages
  • Russian-language code comments
  • Shared payload infrastructure
  • Multiple social engineering lures

These findings indicate a coordinated operation.

Risk Impact Analysis

Risk AreaImpact
Endpoint SecurityEDR disabled
CredentialsLSASS dumping
AccessFull remote control
NetworkLateral movement
Threat OutcomeRansomware staging

Detection Indicators

Security teams should monitor for:

  • Unexpected ScreenConnect sessions
  • Kernel driver creation in TEMP directories
  • Suspicious RMM tool installations
  • LSASS access attempts
  • Multiple remote relay instances

Mitigation Recommendations

User-Level Protection

  • Download tax forms only from official sources
  • Avoid sponsored search results
  • Verify domains before downloading
  • Be cautious during tax season

IT Security Controls

  • Allowlist approved RMM tools
  • Block unauthorized remote software
  • Monitor driver installation events
  • Enable kernel driver logging
  • Alert on ScreenConnect trial instances

Key Takeaways

  • Tax-themed Google Ads used as lure
  • Legitimate remote tool abused
  • BYOVD technique disables EDR
  • Kernel driver used for process termination
  • Pre-ransomware behavior observed

Conclusion

This campaign demonstrates how attackers combine malvertising, social engineering, and BYOVD techniques to bypass modern security defenses. By abusing trusted software and signed drivers, they can disable endpoint protection and prepare systems for ransomware or credential theft.

Organizations should strengthen:

  • Remote tool monitoring
  • Driver execution controls
  • User awareness training
  • Behavioral detection

Tax season continues to be a high-risk period for targeted malware campaigns. 

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *