A large-scale malware campaign has been discovered that leverages vulnerable Windows drivers associated with Adlice’s suite of products to provide Sidestep detection efforts and GH0st rat malware.
“To further avoid detection, attackers intend to use multiple variants (using different hashs) of the 2.0.2 driver by modifying a particular PE part while keeping a particular PE part enabled. “We generated it,” Check Point said in a new report released Monday.
Cybersecurity companies are used to deploy programs that can terminate endpoint detection and response (EDR) software by those that lead to their own vulnerable driver (BYOVD) attacks. It said it contains thousands of first stage malicious samples.
TrueSight.Sys, 2,500 different variants of the legacy version 2.0.2 of the vulnerable RogueKiller Antirootkit driver, has been identified on the Virustotal platform, but is considered to be higher. The EDR killer module was first detected and recorded in June 2024.
The TrueSight driver issue is any termination bug that affects all versions below 3.4.0, and exploits proof of concept (POC) such as Darkside and TrueSightkiller that have been published since at least November 2023. has been previously weaponized to devise.
In March 2024, SonicWall revealed details of a loader called DBATLoader, which was found to have used the TrueSight.Sys driver to kill security solutions using the TrueSight.Sys driver before delivering REMCOS rat malware I’ve done it.
The campaign could be “work of a threat actor called Silver Fox APT due to some level of duplication of adopted secretaries employed with the execution chain, such as infection vectors, execution chains, and early similarities. There is some evidence to suggest that there is a stage sample […]and historical targeting patterns. ”
Attack sequences are often disguised as legitimate applications and are propagated through deceptive websites that provide transactions on high-end products and fraudulent channels on popular messaging apps such as Telegram. Includes distribution of stage artifacts.
The sample acts as a downloader and removes legacy versions of the TrueSight drivers and the next stage payload that mimics common file types such as PNG, JPG, and GIF. Next, the second stage malware progresses, obtaining another malware and loading the EDR killer module and GH0st rat malware.
“Legacy TrueSight driver variations (version 2.0.2) are usually downloaded and installed by early stage samples, but if the driver is not already present on the system, it should be deployed directly by the EDR/AV killer module. You can also do it, “Checkpoint explained.
“This shows that the EDR/AV killer module is fully integrated into the campaign, but can work independently of the previous stages.”
The module employs BYOVD technology to exploit sensitive drivers with the aim of terminating processes related to specific security software. In doing so, this attack offers the advantage in that it bypasses the vulnerable driver block list from Microsoft, a hash value-based windowing mechanism designed to protect the system from known vulnerable drivers. .
The attack culminated in the deployment of a variant of the GH0st rat called didhingGh0st. It is designed to remotely control compromised systems and to provide an attacker with a way to theft, monitor, and manipulate the system.
As of December 17, 2024, Microsoft has updated its driver block list to effectively block exploitation vectors, including the drivers in question.
“By modifying certain parts of the driver while retaining the digital signature, attackers bypass common detection methods, including the latest Microsoft vulnerable driver block lists and Loldrivers detection mechanisms, avoiding detection for several months. We made it possible,” Checkpoint said.
“By exploiting the optional process termination vulnerability, the EDR/AV killer module has targeted and disabled processes generally associated with security solutions, further increasing the stealth of the campaign.”
Source link
