A big-scale malware marketing campaign has been discovered leveraging a susceptible Home windows driver related to Adlice’s product suite to sidestep detection efforts and ship the Gh0st RAT malware.
“To additional evade detection, the attackers intentionally generated a number of variants (with completely different hashes) of the two.0.2 driver by modifying particular PE elements whereas maintaining the signature legitimate,” Test Level mentioned in a brand new report printed Monday.
The cybersecurity firm mentioned the malicious exercise concerned 1000’s of first-stage malicious samples which are used to deploy a program able to terminating endpoint detection and response (EDR) software program by way of what’s referred to as a convey your individual susceptible driver (BYOVD) assault.
As many as 2,500 distinct variants of the legacy model 2.0.2 of the susceptible RogueKiller Antirootkit Driver, truesight.sys, have been recognized on the VirusTotal platform, though the quantity is believed to be doubtless greater. The EDR-killer module was first detected and recorded in June 2024.
The problem with the Truesight driver, an arbitrary course of termination bug affecting all variations beneath 3.4.0, has been beforehand weaponized to plan proof-of-concept (PoC) exploits reminiscent of Darkside and TrueSightKiller which are publicly out there since at the very least November 2023.
In March 2024, SonicWall revealed particulars of a loader referred to as DBatLoader that was discovered to have utilized the truesight.sys driver to kill safety options earlier than delivering the Remcos RAT malware.
There may be some proof to counsel that the marketing campaign might be the work of a risk actor referred to as the Silver Fox APT attributable to some degree of overlaps within the execution chain and the tradecraft employed, together with the “an infection vector, execution chain, similarities in initial-stage samples […], and historic concentrating on patterns.”
The assault sequences contain the distribution of first-stage artifacts which are typically disguised as professional purposes and propagated through misleading web sites providing offers on luxurious merchandise and fraudulent channels in standard messaging apps like Telegram.
The samples act as a downloader, dropping the legacy model of the Truesight driver, in addition to the next-stage payload that mimics widespread file varieties, reminiscent of PNG, JPG, and GIF. The second-stage malware then proceeds to retrieve one other malware that, in flip, hundreds the EDR-killer module and the Gh0st RAT malware.
“Whereas the variants of the legacy Truesight driver (model 2.0.2) are usually downloaded and put in by the initial-stage samples, they will also be deployed instantly by the EDR/AV killer module if the driving force shouldn’t be already current on the system,” Test Level defined.
“This means that though the EDR/AV killer module is absolutely built-in into the marketing campaign, it’s able to working independently of the sooner phases.”
The module employs the BYOVD method to abuse the inclined driver for the aim of terminating processes associated to sure safety software program. In doing so, the assault affords a bonus in that it bypasses the Microsoft Susceptible Driver Blocklist, a hash value-based Home windows mechanism designed to guard the system in opposition to identified susceptible drivers.
The assaults culminated with the deployment of a variant of Gh0st RAT referred to as HiddenGh0st, which is designed to remotely management compromised methods, giving attackers a method to conduct knowledge theft, surveillance, and system manipulation.
As of December 17, 2024, Microsoft has up to date the driving force blocklist to incorporate the driving force in query, successfully blocking the exploitation vector.
“By modifying particular elements of the driving force whereas preserving its digital signature, the attackers bypassed widespread detection strategies, together with the most recent Microsoft Susceptible Driver Blocklist and LOLDrivers detection mechanisms, permitting them to evade detection for months,” Test Level mentioned.
“Exploiting Arbitrary Course of Termination vulnerability allowed the EDR/AV killer module to focus on and disable processes generally related to safety options, additional enhancing the marketing campaign’s stealth.”