New malware exploits trusted Windows drivers to get around security systems - here's how to stay safe

Proactive Cybersecurity Service That Neutralizes Threats Within a Digital Network - Conceptual Illustration

(Image credit: Shutterstock)

Chinese threat group abused a vulnerable WatchDog Antimalware driver to disable antivirus and EDR tools
Attackers also leveraged a Zemana Anti-Malware driver (ZAM.exe) for broader compatibility across Windows
Researchers are urging IT teams to update blocklists, use YARA rules, and monitor for suspicious activity

Chinese hackers Silver Fox have been seen abusing a previously trusted Windows driver to disable antivirus protections and deploy malware on target devices.

The latest driver to be abused in the age-old “Bring Your Own Vulnerable Driver” attack is called WatchDog Antimalware, usually part of the security solution of the same name.

It carries the filename amsdk.sys, with the version 1.0.600 being the vulnerable one. Security experts from Check Point Research (CPR), who found the issue, said this driver was not previously listed as problematic, but was used in attacks against entities in East Asia.

Evolving malware

In the attacks, the threat actors used the driver to terminate antivirus and EDR tools, after which they deployed ValleyRAT.

This piece of malware acts as a backdoor that can be used in cyber-espionage, for arbitrary command execution, as well as data exfiltration.

Furthermore, CPR said that Silver Fox used a separate driver, called ZAM.exe (from the Zemana anti-malware solution) to remain compatible between different systems, including Windows 7, Windows 10, and Windows 11.

The researchers did not discuss how victims ended up with the malware in the first place, but it is safe to assume a little phishing, or social engineering was at play here. The crooks used infrastructure located in China, to host self-contained loader binaries that included anti-analysis features, persistence mechanisms, both of the above-mentioned drivers, a hardcoded list of security processes that should be terminated, and ValleyRAT.

Check Point Research said that what started with WatchDog Antimalware quickly evolved to include additional versions, and types, of drivers, all with the goal of avoiding any detection.

WatchDog released an update fixing the local privilege flaw, however arbitrary process termination remains possible. Therefore, IT teams should make sure to monitor Microsoft’s driver blocklist, use YARA detection rules, and monitor their network for suspicious traffic and/or other activity.

Via Infosecurity Magazine

Microsoft discovers five potentially damaging attacks against its own software
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Evolving malware

You might also like