A significant malware campaign has been uncovered that exploits a vulnerable driver from Adlice’s software suite to circumvent security measures and deploy the Gh0st RAT malware. This revelation underscores the persistent risks that come from legacy systems and their components.
The cybersecurity firm Check Point detailed a strategic approach taken by the attackers, who created numerous variants of the 2.0.2 driver, deliberately altering key areas while maintaining a valid digital signature. Such modifications allow these attackers to bypass conventional detection mechanisms, as noted in a report released earlier this week.
The infiltration method primarily involved deploying thousands of preliminary malicious samples designed to disable endpoint detection and response (EDR) systems. This exploit falls under the aptitude of covert attacks known as bring your own vulnerable driver (BYOVD) techniques, underscoring the creative ways in which adversaries can exploit system vulnerabilities to achieve malicious objectives.
Analysis has identified upwards of 2,500 separate iterations of the legacy truesight.sys driver on VirusTotal, although actual totals may exceed this number. The EDR-disabling module linked to this malware was first detected in June 2024. The root cause of the vulnerabilities resides in an arbitrary process termination flaw affecting all driver versions prior to 3.4.0, which has previously facilitated proof-of-concept exploits like Darkside and TrueSightKiller, available publicly since November 2023.
In a related disclosure from March 2024, SonicWall reported on a loader known as DBatLoader that similarly utilized the truesight.sys driver to neutralize security solutions before delivering the Remcos RAT malware. This cascading impact illustrates the vulnerabilities associated with legacy drivers and their potential exploitation.
Compelling evidence suggests that this operation may be tied to the Silver Fox APT threat actor group, based on overlapping execution patterns and tradecraft associated with prior incidents. Approximately 75% of the identified victims are based in China, with others spread across Asia, notably Singapore and Taiwan. The attack is characterized by initial stage artifacts masquerading as legitimate applications and distributed through fraudulent websites and messaging platforms.
The staged malware functions as a downloader, facilitating the installation of the outdated truesight driver alongside next-stage payloads that mimic common file types. Once active, the secondary malware retrieves another payload designed to deploy the EDR-killer module and the Gh0st RAT malware.
While the previous versions of the driver are typically installed through the first-stage samples, they can also be delivered directly by the EDR-killing module if not already present on the targeted system. This capability indicates the module’s heightened versatility within the attack framework, allowing it to operate independently to compromise security infrastructure.
This exploitation strategically bypasses the Microsoft Vulnerable Driver Blocklist, a safeguard designed to prevent the use of known vulnerable drivers, illustrating the effectiveness of the attackers’ methods. By manipulating the driver while preserving its signature, the perpetrators managed to evade detection mechanisms for an extended period.
The attacks culminated in the deployment of a specific variant of Gh0st RAT known as HiddenGh0st, enabling hackers to remotely control infected systems, enabling theft, surveillance, and system manipulation efforts.
As of December 2024, Microsoft has amended its blocklist to include the vulnerable driver, aiming to curtail this exploitation method. This ongoing threat highlights the importance of vigilance against the manipulation of legacy systems and components, as cyber adversaries continue to exploit existing vulnerabilities for their gain.
