New malware exploits trusted Windows drivers to get around security systems – here’s how to stay safe - InfoSunrise – Daily Insights Across Tech, Travel, Lifestyle & More

Chinese threat group abused a vulnerable WatchDog Antimalware driver to disable antivirus and EDR tools
Attackers also leveraged a Zemana Anti-Malware driver (ZAM.exe) for broader compatibility across Windows
Researchers are urging IT teams to update blocklists, use YARA rules, and monitor for suspicious activity

Chinese hackers Silver Fox have been seen abusing a previously trusted Windows driver to disable antivirus ^[1] protections and deploy malware on target devices.

The latest driver to be abused in the age-old “Bring Your Own Vulnerable Driver” attack is called WatchDog Antimalware, usually part of the security solution of the same name.

It carries the filename amsdk.sys, with the version 1.0.600 being the vulnerable one. Security experts from Check Point Research (CPR), who found the issue, said this driver was not previously listed as problematic, but was used in attacks against entities in East Asia.

Evolving malware

In the attacks, the threat actors used the driver to terminate antivirus and EDR tools ^[2], after which they deployed ValleyRAT.

This piece of malware acts as a backdoor that can be used in cyber-espionage, for arbitrary command execution, as well as data exfiltration.

Furthermore, CPR said that Silver Fox used a separate driver, called ZAM.exe (from the Zemana anti-malware solution) to remain compatible between different systems, including Windows 7 ^[3], Windows 10 ^[4], and Windows 11 ^[5].

The researchers did not discuss how victims ended up with the malware ^[6] in the first place, but it is safe to assume a little phishing, or social engineering was at play here. The crooks used infrastructure located in China, to host self-contained loader binaries that included anti-analysis features, persistence mechanisms, both of the above-mentioned drivers, a hardcoded list of security processes that should be terminated, and ValleyRAT.

Check Point Research said that what started with WatchDog Antimalware quickly evolved to include additional versions, and types, of drivers, all with the goal of avoiding any detection.

WatchDog released an update fixing the local privilege flaw, however arbitrary process termination remains possible. Therefore, IT teams should make sure to monitor Microsoft ^[7]’s driver blocklist, use YARA detection rules, and monitor their network for suspicious traffic and/or other activity.

Via Infosecurity Magazine^[8]

References

^{^} antivirus (www.techradar.com)
^{^} EDR tools (www.techradar.com)
^{^} Windows 7 (www.techradar.com)
^{^} Windows 10 (www.techradar.com)
^{^} Windows 11 (www.techradar.com)
^{^} malware (www.techradar.com)
^{^} Microsoft (www.techradar.com)
^{^} Infosecurity Magazine (www.infosecurity-magazine.com)

New malware exploits trusted Windows drivers to get around security systems – here’s how to stay safe

Byadmin

Evolving malware

You might also like

References

Related

By admin

Related Post

Could this be the next big step forward for AI? Huawei’s open source move will make it easier than ever to connect together, well, pretty much everything

Here’s how ChatGPT parental controls will work, and it might just be the AI implementation parents have been waiting for

States, prefectures, cities, and villages: how one tiny Japanese CPU maker is taking a radically different route to making processors with thousands of cores

You missed

Real Madrid star Thibaut Courtois issues verdict on new Man United goalkeeper Senne Lammens – but Rio Ferdinand reveals his concerns after Red Devils overlooked Emi Martinez

Nabi spins Afghanistan to victory over Pakistan in tri-series clash

Al Hilal Sign Super Falcons Star Asisat Oshoala on Two-Year Deal

Ben Johnson, Bears go with Braxton Jones at left tackle