From W-2 to BYOVD: How a Tax Search Leads to Kernel-Mode AV/EDR Kill

Summary

A broad malvertising operation abuses Google Ads tied to tax-form searches to distribute a fake ScreenConnect installer. That installer deploys a multi-stage crypter, which then loads a BYOVD utility called HwAudKiller. The tool installs a signed Huawei audio driver and uses kernel-level access to terminate AV and EDR processes. Once security controls are disabled, the attackers dump LSASS credentials and harvest credentials across the network with NetExec. The activity highlights how commodity malware delivery can be paired with a custom kernel driver to obtain stealthy access, suppress defenses, and maintain persistence.

Investigation

Huntress researchers followed the redirect path from anukitax.com to bringetax.com and confirmed delivery of a fraudulent ScreenConnect MSI package. The dropped crypteds.exe uses a 2 GB memory allocation trick for evasion and launches shellcode indirectly through timeSetEvent before loading HwAudKiller. That payload writes Havoc.sys into %TEMP% and registers a kernel service named Havoc to terminate a hard-coded list of security processes. In a second intrusion, the attackers gained access through a VPN compromise, reused the same driver, expanded the kill list to include FortiEDR processes, dumped LSASS using comsvcs.dll, and moved laterally with NetExec.

Mitigation

Organizations should block or tightly allow-list legitimate ScreenConnect deployments and monitor for unfamiliar trial instance-* relay hostnames. Security teams should watch for kernel drivers loaded from temporary paths and alert on Sysmon Event ID 6 and Windows service installation activity. Strict execution controls should be enforced on files written to C:\Windows\SystemTemp\ScreenConnect and %TEMP%. User awareness efforts should also reinforce that Google Ads search results should not be trusted sources for tax-related downloads.

Response

If a rogue ScreenConnect installer is found, immediately isolate the endpoint, collect crypteds.exe and any dropped Havoc.sys driver, and stop the Havoc service. Begin credential-reset procedures for potentially compromised accounts and revoke exposed access. Then scan the wider environment for additional ScreenConnect relay connections, NetExec execution, and signs of LSASS dumping. Finally, document and share discovered IOCs with internal and external threat intelligence channels.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

• Attack Narrative & Commands:

  1. Initial Access via Malvertising: The victim clicks a malicious ad while searching for tax forms, which triggers a drive‑by download of form_w9.msi.
  2. Installation of Rogue Software: The MSI silently installs a ScreenConnect‑like remote‑support tool and drops crypteds.exe and sent.exe to the %TEMP% directory.
  3. Credential Harvesting: crypteds.exe is launched to dump LSA Secrets.
  4. DLL Side‑Loading via Rundll32: To evade static detection, the attacker loads a malicious DLL using rundll32.exe with the system DLL comsvcs.dll as the entry point, which will execute the embedded payload.

  The exact commands (simulated on a test machine) are:

  # 1. Deploy the malicious MSI (simulated)
  Start-Process -FilePath "C:Tempform_w9.msi" -ArgumentList "/quiet" -Wait
  
  # 2. Launch the credential‑dumping tool
  Start-Process -FilePath "$env:TEMPcrypteds.exe" -ArgumentList "/dump" -Wait
  
  # 3. Load the malicious payload via rundll32 using comsvcs.dll
  rundll32.exe "C:windowsSystem32comsvcs.dll",LaunchApplication "$env:TEMPsent.exe"

• Regression Test Script: The script below automates the above steps and ensures that the generated telemetry matches the detection rule expectations.

  # Regression Test Script – Simulates the Malvertising Campaign
  # -----------------------------------------------------------
  # 0. Prerequisite: Ensure Sysmon is running with command‑line logging enabled.
  
  # Variables
  $msiPath   = "$env:TEMPform_w9.msi"
  $dumpTool  = "$env:TEMPcrypteds.exe"
  $payload   = "$env:TEMPsent.exe"
  $dllPath   = "C:windowsSystem32comsvcs.dll"
  
  # Helper: Create dummy files to mimic the malicious binaries
  New-Item -Path $msiPath   -ItemType File -Force | Out-Null
  New-Item -Path $dumpTool  -ItemType File -Force | Out-Null
  New-Item -Path $payload   -ItemType File -Force | Out-Null
  
  Write-Host "[*] Installing malicious MSI (simulated)..."
  Start-Process -FilePath "msiexec.exe" -ArgumentList "/i `"$msiPath`" /quiet" -Wait
  
  Write-Host "[*] Executing credential‑dumping tool..."
  Start-Process -FilePath $dumpTool -ArgumentList "/dump" -Wait
  
  Write-Host "[*] Performing DLL side‑loading via rundll32..."
  rundll32.exe "`"$dllPath`"",LaunchApplication "`"$payload`""
  
  Write-Host "[+] Simulation complete. Verify detection via the SIEM."

• Cleanup Commands: Remove the dummy artifacts and stop any lingering processes.

  # Cleanup Script
  $paths = @("$env:TEMPform_w9.msi","$env:TEMPcrypteds.exe","$env:TEMPsent.exe")
  foreach ($p in $paths) {
      if (Test-Path $p) { Remove-Item -Path $p -Force }
  }
  
  # Terminate any stray rundll32 processes spawned by the test
  Get-Process -Name rundll32 -ErrorAction SilentlyContinue |
      Where-Object {$_.Path -eq "$env:SystemRootSystem32rundll32.exe"} |
      Stop-Process -Force