A highly sophisticated and timely malvertising campaign is leveraging the stress of the US tax filing deadline to deliver malware capable of blinding security software before deploying ransomware. The operation, which remains active, represents a significant escalation in the tactics used by cybercriminals, combining precise social engineering with a dangerous evasion technique known as Bring Your Own Vulnerable Driver (BYOVD).
The attack chain is initiated through poisoned Google Search advertisements. Cybercriminals purchase ads targeting keywords related to popular tax preparation software, such as "TurboTax" or "H&R Block." These malicious ads appear at the top of search results, masquerading as legitimate download links for these applications. Unsuspecting users, particularly individuals and small business owners rushing to meet the April tax deadline, are tricked into clicking.
Instead of a tax program, the victim downloads a malicious installer. This installer's primary function is to deploy a legitimate remote access and management tool, ScreenConnect (now ConnectWise Control). While ScreenConnect itself is a reputable tool used by IT professionals, its powerful remote control capabilities make it a prized commodity for attackers. The installation is configured to run covertly, establishing a persistent backdoor into the victim's system.
However, the true sophistication of this campaign lies in what happens next. Before any final payload is delivered, the attackers move to neutralize the system's defenses. Using the initial access provided by ScreenConnect, they drop and execute a legitimate driver file signed by Huawei: eHiperview_eHiperService.sys. This driver is part of Huawei's eHiperview monitoring software. While not malicious by design, it contains vulnerabilities that allow for improper access to the Windows kernel—the core of the operating system.
In a BYOVD attack, malware abuses the high-level privileges of a signed, vulnerable driver to perform malicious actions at the kernel level. In this case, the Huawei driver is weaponized to disable or tamper with Endpoint Detection and Response (EDR) and antivirus processes running on the endpoint. By operating at the kernel level, the attack can bypass standard user-space security checks and directly manipulate or terminate security software. This effectively "blinds" the endpoint, removing its ability to detect or log subsequent malicious activity.
With the security software incapacitated, the stage is set for the final act. Although the specific ransomware payload in this campaign is still being analyzed, the operational pattern is clear. The attackers, now operating with minimal risk of detection, can move laterally, escalate privileges, exfiltrate data, and ultimately deploy file-encrypting ransomware. The combination of a stealthy backdoor and disabled defenses makes remediation exceptionally difficult and increases the likelihood of a successful ransomware deployment and payment.
This campaign highlights several critical trends in the threat landscape. First, the abuse of Google Ads (malvertising) remains a highly effective initial infection vector due to the inherent trust users place in top search results. Second, the use of BYOVD attacks is moving from advanced persistent threat (APT) groups to more widespread criminal operations, lowering the barrier for sophisticated evasion. Third, the thematic timing of the attack—exploiting the tax season—demonstrates a deep understanding of victim psychology and peak vulnerability periods.
For cybersecurity professionals, this campaign underscores the need for layered defenses that can resist kernel-level tampering. Recommendations include:
- Implementing driver allowlisting policies to block unauthorized kernel drivers.
- Deploying security solutions with anti-tamper protections and behavioral detection capable of identifying malicious driver activity.
- Educating users, especially during high-risk periods like tax season, to be skeptical of download links from search ads and to verify URLs directly.
- Monitoring for the installation of remote access tools like ScreenConnect from non-standard or unexpected sources.
- Ensuring robust backup and recovery procedures are in place, as ransomware remains the likely end goal.
The use of a Huawei driver in this context is notable but should be viewed as a case of opportunistic exploitation of available vulnerable code, not a reflection on the vendor. It serves as a stark reminder that the software supply chain, including legitimate signed drivers, can be weaponized against the very systems they are designed to support. As tax deadlines loom, this campaign is a potent reminder that cyber threats are increasingly tailored to our calendars and our anxieties.
Comentarios 0
Comentando como:
¡Únete a la conversación!
Sé el primero en compartir tu opinión sobre este artículo.
¡Inicia la conversación!
Sé el primero en comentar este artículo.