A big-scale malware marketing campaign has been discovered leveraging a weak Home windows driver related to Adlice’s product suite to sidestep detection efforts and ship the Gh0st RAT malware.
“To additional evade detection, the attackers intentionally generated a number of variants (with totally different hashes) of the two.0.2 driver by modifying particular PE elements whereas protecting the signature legitimate,” Examine Level stated in a brand new report revealed Monday.
The cybersecurity firm stated the malicious exercise concerned hundreds of first-stage malicious samples which are used to deploy a program able to terminating endpoint detection and response (EDR) software program by way of what’s known as a carry your individual weak driver (BYOVD) assault.
As many as 2,500 distinct variants of the legacy model 2.0.2 of the weak RogueKiller Antirootkit Driver, truesight.sys, have been recognized on the VirusTotal platform, though the quantity is believed to be doubtless greater. The EDR-killer module was first detected and recorded in June 2024.
The problem with the Truesight driver, an arbitrary course of termination bug affecting all variations beneath 3.4.0, has been beforehand weaponized to plan proof-of-concept (PoC) exploits corresponding to Darkside and TrueSightKiller which are publicly obtainable since no less than November 2023.
In March 2024, SonicWall revealed particulars of a loader known as DBatLoader that was discovered to have utilized the truesight.sys driver to kill security options earlier than delivering the Remcos RAT malware.
There’s some proof to counsel that the marketing campaign could possibly be the work of a menace actor known as the Silver Fox APT as a consequence of some stage of overlaps within the execution chain and the tradecraft employed, together with the “an infection vector, execution chain, similarities in initial-stage samples […], and historic concentrating on patterns.”
The assault sequences contain the distribution of first-stage artifacts which are typically disguised as legit functions and propagated through misleading web sites providing offers on luxurious merchandise and fraudulent channels in common messaging apps like Telegram.
The samples act as a downloader, dropping the legacy model of the Truesight driver, in addition to the next-stage payload that mimics widespread file sorts, corresponding to PNG, JPG, and GIF. The second-stage malware then proceeds to retrieve one other malware that, in flip, masses the EDR-killer module and the Gh0st RAT malware.
“Whereas the variants of the legacy Truesight driver (model 2.0.2) are sometimes downloaded and put in by the initial-stage samples, they will also be deployed straight by the EDR/AV killer module if the driving force isn’t already current on the system,” Examine Level defined.
“This means that though the EDR/AV killer module is totally built-in into the marketing campaign, it’s able to working independently of the sooner levels.”
The module employs the BYOVD method to abuse the prone driver for the aim of terminating processes associated to sure security software program. In doing so, the assault gives a bonus in that it bypasses the Microsoft Weak Driver Blocklist, a hash value-based Home windows mechanism designed to guard the system in opposition to recognized weak drivers.
The assaults culminated with the deployment of a variant of Gh0st RAT known as HiddenGh0st, which is designed to remotely management compromised techniques, giving attackers a option to conduct knowledge theft, surveillance, and system manipulation.
As of December 17, 2024, Microsoft has up to date the driving force blocklist to incorporate the driving force in query, successfully blocking the exploitation vector.
“By modifying particular elements of the driving force whereas preserving its digital signature, the attackers bypassed widespread detection strategies, together with the newest Microsoft Weak Driver Blocklist and LOLDrivers detection mechanisms, permitting them to evade detection for months,” Examine Level stated.
“Exploiting Arbitrary Course of Termination vulnerability allowed the EDR/AV killer module to focus on and disable processes generally related to security options, additional enhancing the marketing campaign’s stealth.”
