A big-scale malware marketing campaign has been discovered leveraging a weak Home windows driver related to Adlice’s product suite to sidestep detection efforts and ship the Gh0st RAT malware.
“To additional evade detection, the attackers intentionally generated a number of variants (with totally different hashes) of the two.0.2 driver by modifying particular PE components whereas holding the signature legitimate,” Test Level said in a brand new report revealed Monday.
The cybersecurity firm stated the malicious exercise concerned 1000’s of first-stage malicious samples which are used to deploy a program able to terminating endpoint detection and response (EDR) software program by way of what’s referred to as a deliver your personal weak driver (BYOVD) assault.
As many as 2,500 distinct variants of the legacy model 2.0.2 of the weak RogueKiller Antirootkit Driver, truesight.sys, have been recognized on the VirusTotal platform, though the quantity is believed to be seemingly larger. The EDR-killer module was first detected and recorded in June 2024.
The difficulty with the Truesight driver, an arbitrary course of termination bug affecting all variations under 3.4.0, has been beforehand weaponized to plot proof-of-concept (PoC) exploits resembling Darkside and TrueSightKiller which are publicly out there since at the very least November 2023.
In March 2024, SonicWall revealed particulars of a loader referred to as DBatLoader that was discovered to have utilized the truesight.sys driver to kill safety options earlier than delivering the Remcos RAT malware.
There may be some proof to recommend that the marketing campaign might be the work of a risk actor referred to as the Silver Fox APT attributable to some level of overlaps within the execution chain and the tradecraft employed, together with the “an infection vector, execution chain, similarities in initial-stage samples […], and historic concentrating on patterns.”
The assault sequences contain the distribution of first-stage artifacts which are usually disguised as reputable purposes and propagated by way of misleading web sites providing offers on luxurious merchandise and fraudulent channels in standard messaging apps like Telegram.
The samples act as a downloader, dropping the legacy model of the Truesight driver, in addition to the next-stage payload that mimics widespread file sorts, resembling PNG, JPG, and GIF. The second-stage malware then proceeds to retrieve one other malware that, in flip, masses the EDR-killer module and the Gh0st RAT malware.
“Whereas the variants of the legacy Truesight driver (model 2.0.2) are usually downloaded and put in by the initial-stage samples, they will also be deployed straight by the EDR/AV killer module if the motive force is just not already current on the system,” Test Level defined.
“This means that though the EDR/AV killer module is totally built-in into the marketing campaign, it’s able to working independently of the sooner levels.”
The module employs the BYOVD approach to abuse the prone driver for the aim of terminating processes associated to sure safety software program. In doing so, the assault gives a bonus in that it bypasses the Microsoft Vulnerable Driver Blocklist, a hash value-based Home windows mechanism designed to guard the system towards recognized weak drivers.
The assaults culminated with the deployment of a variant of Gh0st RAT referred to as HiddenGh0st, which is designed to remotely management compromised methods, giving attackers a option to conduct knowledge theft, surveillance, and system manipulation.
As of December 17, 2024, Microsoft has up to date the motive force blocklist to incorporate the motive force in query, successfully blocking the exploitation vector.
“By modifying particular components of the motive force whereas preserving its digital signature, the attackers bypassed widespread detection strategies, together with the most recent Microsoft Weak Driver Blocklist and LOLDrivers detection mechanisms, permitting them to evade detection for months,” Test Level stated.
“Exploiting Arbitrary Course of Termination vulnerability allowed the EDR/AV killer module to focus on and disable processes generally related to safety options, additional enhancing the marketing campaign’s stealth.”
