A big-scale malware marketing campaign has been discovered leveraging a weak Home windows driver related to Adlice’s product suite to sidestep detection efforts and ship the Gh0st RAT malware.
“To additional evade detection, the attackers intentionally generated a number of variants (with totally different hashes) of the two.0.2 driver by modifying particular PE components whereas holding the signature legitimate,” Verify Level said in a brand new report printed Monday.
The cybersecurity firm mentioned the malicious exercise concerned hundreds of first-stage malicious samples which can be used to deploy a program able to terminating endpoint detection and response (EDR) software program by way of what’s referred to as a carry your individual weak driver (BYOVD) assault.
As many as 2,500 distinct variants of the legacy model 2.0.2 of the weak RogueKiller Antirootkit Driver, truesight.sys, have been recognized on the VirusTotal platform, though the quantity is believed to be probably larger. The EDR-killer module was first detected and recorded in June 2024.
The difficulty with the Truesight driver, an arbitrary course of termination bug affecting all variations under 3.4.0, has been beforehand weaponized to plan proof-of-concept (PoC) exploits equivalent to Darkside and TrueSightKiller which can be publicly accessible since at the very least November 2023.
In March 2024, SonicWall revealed particulars of a loader referred to as DBatLoader that was discovered to have utilized the truesight.sys driver to kill safety options earlier than delivering the Remcos RAT malware.
There may be some proof to recommend that the marketing campaign might be the work of a menace actor referred to as the Silver Fox APT as a consequence of some level of overlaps within the execution chain and the tradecraft employed, together with the “an infection vector, execution chain, similarities in initial-stage samples […], and historic concentrating on patterns.”
The assault sequences contain the distribution of first-stage artifacts which can be typically disguised as legit functions and propagated through misleading web sites providing offers on luxurious merchandise and fraudulent channels in in style messaging apps like Telegram.
The samples act as a downloader, dropping the legacy model of the Truesight driver, in addition to the next-stage payload that mimics frequent file varieties, equivalent to PNG, JPG, and GIF. The second-stage malware then proceeds to retrieve one other malware that, in flip, masses the EDR-killer module and the Gh0st RAT malware.
“Whereas the variants of the legacy Truesight driver (model 2.0.2) are usually downloaded and put in by the initial-stage samples, they can be deployed immediately by the EDR/AV killer module if the driving force just isn’t already current on the system,” Verify Level defined.
“This means that though the EDR/AV killer module is absolutely built-in into the marketing campaign, it’s able to working independently of the sooner levels.”
The module employs the BYOVD method to abuse the prone driver for the aim of terminating processes associated to sure safety software program. In doing so, the assault affords a bonus in that it bypasses the Microsoft Vulnerable Driver Blocklist, a hash value-based Home windows mechanism designed to guard the system towards recognized weak drivers.
The assaults culminated with the deployment of a variant of Gh0st RAT referred to as HiddenGh0st, which is designed to remotely management compromised methods, giving attackers a approach to conduct knowledge theft, surveillance, and system manipulation.
As of December 17, 2024, Microsoft has up to date the driving force blocklist to incorporate the driving force in query, successfully blocking the exploitation vector.
“By modifying particular components of the driving force whereas preserving its digital signature, the attackers bypassed frequent detection strategies, together with the newest Microsoft Susceptible Driver Blocklist and LOLDrivers detection mechanisms, permitting them to evade detection for months,” Verify Level mentioned.
“Exploiting Arbitrary Course of Termination vulnerability allowed the EDR/AV killer module to focus on and disable processes generally related to safety options, additional enhancing the marketing campaign’s stealth.”
Source link