A Dangerous New Cyber Campaign Unveiled

A recently uncovered cyber assault is leveraging trusted—but vulnerable—Windows drivers to slip past security shields and install a notorious remote access tool. This alarming operation, linked to the Silver Fox APT group, reveals the shocking risks posed by attackers capitalizing on Microsoft-signed drivers once deemed safe.

How Microsoft-Signed Drivers are Being Weaponized

The attack centers around the WatchDog Antimalware driver (amsdk.sys, version 1.0.600). Despite its Microsoft signature and a squeaky-clean record, this driver has been manipulated to disable antivirus and endpoint detection and response (EDR) processes, paving the way for the infiltration of ValleyRAT. This modular backdoor is a real nightmare, capable of executing commands, conducting surveillance, and exfiltrating sensitive data.

Legacy Drivers Boost Attack Success

Silver Fox has also made use of an older Zemana-based driver (ZAM.exe) to ensure compatibility with systems ranging from Windows 7 all the way to Windows 11. These drivers grant the attackers the power to terminate any arbitrary processes, including those that are otherwise protected.

Evolving Techniques and Evasive Maneuvers

Researchers noted that the group has cleverly packed all necessary components into self-sufficient loader binaries, each containing: anti-analysis features, persistence mechanisms, two embedded drivers, a factored list of security processes to eliminate, and a dedicated ValleyRAT downloader.

Fooling Security Measures

In a blatant evasion tactic, they modified a patched version of the WatchDog driver (wamsdk.sys, version 1.1.100) by altering a single byte in its timestamp. This sneaky change allowed the driver signature to remain intact, making it appear as a new file despite having a different hash.

Tracing the Cybercriminals' Footprints

The infrastructure behind these attacks has been traced to servers located in China, targeting security products that are widely used in East Asia. Combined with the ValleyRAT payload, these clues convincingly point to the Silver Fox APT’s involvement.

Critical Responses Needed

Despite an update from WatchDog that addresses local privilege escalation flaws, the ability for arbitrary process termination persists, leaving systems dangerously exposed. Check Point Research emphasizes that relying solely on signature and hash checks won’t cut it anymore. Security teams are urged to utilize Microsoft's latest driver blocklist, implement YARA detection rules, and adopt behavior-based monitoring to identify unusual driver activities.

Stay Alert: The Call for Vigilance

"This research underscores the imperative for security vendors and users to remain vigilant against the emerging threat of legitimate driver abuse," warns CPR. "Proactive identification, reporting, and patching of these vulnerabilities will be essential in fortifying Windows systems against evolving tactics that utilize Bring Your Own Vulnerable Driver (BYOVD) methods."