Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Exploitation of Microsoft Blocklist Gap: Silver Fox’s Undetected Operations
A cyber-espionage campaign attributed to a Chinese nation-state actor, identified as Silver Fox, has successfully exploited a gap in Microsoft’s signed driver blocklist to bypass Windows security measures.
According to researchers at Check Point, Silver Fox has been utilizing the amsdk.sys driver—the WatchDog anti-malware component—to disable critical security functions on Windows 10 and 11 systems. Notably, this driver is absent from Microsoft’s official Vulnerable Driver Blocklist, and was not tracked by community databases like LOLDrivers.
The group’s method of attack involves deploying a custom loader containing both a vulnerable component for Zemana antivirus software and a downloader known as ValleyRAT. This loader, before executing, checks for virtual machines and sandboxes, thus evading detection in forensic environments. If successful, the loader installs the WatchDog driver while deactivating essential Windows protections, including Protected Process Light (PPL), a feature designed to safeguard vital processes from unauthorized alterations.
By leveraging a Microsoft-signed driver, Silver Fox has managed to maintain a foothold on affected systems without triggering security alarms, a situation underscored by Windows’ inherent trust in Microsoft-signed code—even when vulnerabilities are present. This exploitation tactic aligns with MITRE ATT&CK tactics such as persistence and privilege escalation, allowing adversaries to retain access and escalate their capabilities undetected.
ValleyRAT serves as a critical element of Silver Fox’s larger toolkit, enabling remote control over compromised machines and facilitating extended espionage or intrusion campaigns. Previously, Silver Fox has been associated with the deployment of Gh0st RAT, another remote access Trojan, indicative of a concerted approach to cyber-espionage.
In response to the vulnerabilities, Microsoft released an updated driver, wamsdk.sys, version 1.1.100. However, researchers noted that this patch did not fully resolve the issue of arbitrary process termination, allowing attackers to adapt quickly. They modified a single byte in the driver’s Microsoft Authenticode signature, effectively evading defenses that rely on hash-based blocklist mechanisms while maintaining the appearance of legitimacy within Windows.
The researchers advocate for enhanced validation practices for driver behaviors and more robust blocklist strategies to prevent signed drivers from being wrongly exploited. With the persistent threat from groups like Silver Fox, the necessity for vigilant cybersecurity measures has never been clearer for businesses navigating today’s complex digital landscape.
