Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

European Innovation Methods to Turn Research into Market Success

Unlock US critical mineral supply

Sewage runoff and coastal winds fuel microplastic pollution

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » 2,500+ TrueSight.SYS ​​driver variations have been exploited to bypass EDR and deploy DisdenGh0st rats
Identity

2,500+ TrueSight.SYS ​​driver variations have been exploited to bypass EDR and deploy DisdenGh0st rats

userBy userFebruary 25, 2025No Comments4 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

February 25, 2025Ravi LakshmananWindows Security/Vulnerabilities

grueSight.sys driver variation

A large-scale malware campaign has been discovered that leverages vulnerable Windows drivers associated with Adlice’s suite of products to provide Sidestep detection efforts and GH0st rat malware.

“To further avoid detection, attackers intend to use multiple variants (using different hashs) of the 2.0.2 driver by modifying a particular PE part while keeping a particular PE part enabled. “We generated it,” Check Point said in a new report released Monday.

Cybersecurity companies are used to deploy programs that can terminate endpoint detection and response (EDR) software by those that lead to their own vulnerable driver (BYOVD) attacks. It said it contains thousands of first stage malicious samples.

TrueSight.Sys, 2,500 different variants of the legacy version 2.0.2 of the vulnerable RogueKiller Antirootkit driver, has been identified on the Virustotal platform, but is considered to be higher. The EDR killer module was first detected and recorded in June 2024.

Cybersecurity

The TrueSight driver issue is any termination bug that affects all versions below 3.4.0, and exploits proof of concept (POC) such as Darkside and TrueSightkiller that have been published since at least November 2023. has been previously weaponized to devise.

In March 2024, SonicWall revealed details of a loader called DBATLoader, which was found to have used the TrueSight.Sys driver to kill security solutions using the TrueSight.Sys driver before delivering REMCOS rat malware I’ve done it.

The campaign could be “work of a threat actor called Silver Fox APT due to some level of duplication of adopted secretaries employed with the execution chain, such as infection vectors, execution chains, and early similarities. There is some evidence to suggest that there is a stage sample […]and historical targeting patterns. ”

Attack sequences are often disguised as legitimate applications and are propagated through deceptive websites that provide transactions on high-end products and fraudulent channels on popular messaging apps such as Telegram. Includes distribution of stage artifacts.

The sample acts as a downloader and removes legacy versions of the TrueSight drivers and the next stage payload that mimics common file types such as PNG, JPG, and GIF. Next, the second stage malware progresses, obtaining another malware and loading the EDR killer module and GH0st rat malware.

grueSight.sys driver variation

“Legacy TrueSight driver variations (version 2.0.2) are usually downloaded and installed by early stage samples, but if the driver is not already present on the system, it should be deployed directly by the EDR/AV killer module. You can also do it, “Checkpoint explained.

“This shows that the EDR/AV killer module is fully integrated into the campaign, but can work independently of the previous stages.”

The module employs BYOVD technology to exploit sensitive drivers with the aim of terminating processes related to specific security software. In doing so, this attack offers the advantage in that it bypasses the vulnerable driver block list from Microsoft, a hash value-based windowing mechanism designed to protect the system from known vulnerable drivers. .

Cybersecurity

The attack culminated in the deployment of a variant of the GH0st rat called didhingGh0st. It is designed to remotely control compromised systems and to provide an attacker with a way to theft, monitor, and manipulate the system.

As of December 17, 2024, Microsoft has updated its driver block list to effectively block exploitation vectors, including the drivers in question.

“By modifying certain parts of the driver while retaining the digital signature, attackers bypass common detection methods, including the latest Microsoft vulnerable driver block lists and Loldrivers detection mechanisms, avoiding detection for several months. We made it possible,” Checkpoint said.

“By exploiting the optional process termination vulnerability, the EDR/AV killer module has targeted and disabled processes generally associated with security solutions, further increasing the stealth of the campaign.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleConference Industry Association: Shonali Devereaux joined the chat
Next Article Raise to Rise’s 12-time partner
user
  • Website

Related Posts

ServiceNow Flaw CVE-2025-3648 can lead to data exposure via misunderstood ACLS

July 10, 2025

The Future of Process Automation is Here: Meet TwinH

July 9, 2025

Gold Melody IAB exploits exposed ASP.NET machine keys to unauthorized access to targets

July 9, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

European Innovation Methods to Turn Research into Market Success

Unlock US critical mineral supply

Sewage runoff and coastal winds fuel microplastic pollution

ServiceNow Flaw CVE-2025-3648 can lead to data exposure via misunderstood ACLS

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

The Future of Process Automation is Here: Meet TwinH

Robots Play Football in Beijing: A Glimpse into China’s Ambitious AI Future

TwinH: A New Frontier in the Pursuit of Immortality?

Meta’s Secret Weapon: The Superintelligence Unit That Could Change Everything 

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.