A significant malware campaign was discovered that used a defenseless Windows driver from Adlice’s product suite to evade detection efforts and offer the .
In a new report released on Monday, Check Point claimed that in order to further evade detection, the attackers purposefully created multiple variants of the 2.0.2 driver ( with different hashes ) by altering specific PE parts while maintaining the signature.
The cybersecurity firm claimed that thousands of first-stage malicious samples were used to deploy a program that can terminate endpoint detection and response ( EDR) software using a “bring your own vulnerable driver” ( ) attack.
As many as 2, 500 different variations of the legacy type 2.0.2 of the vulnerable RogueKiller Antirootkit Driver, truesight. system, have been identified on the VirusTotal system, although the amount is believed to be possibly higher. The EDR-killer package was first identified and recorded in June of that year.
An arbitrary process termination bug that affects all versions after 3.4.0 has previously been exploited to create proof-of-concept ( PoC ) exploits like and , which have been made publicly available since at least November 2023.
A load called DBatLoader, which was discovered to have used the truesight, was in specifics in SonicWall in March 2024. sys drivers to deliver the Remcos Mouse ransomware before delivering the security solutions.
Due to degree of overlaps in the execution chain and the tradecraft employed, including the “infection vector, execution chain, similarities in initial-stage samples [ …], and historical targeting patterns,” there is evidence that the campaign could be the work of a threat actor called the .
The strike sequences involve the distribution of first-stage objects that are frequently misrepresented as genuine applications and promoted through phony websites selling discounts on expensive goods and phony Telegram messaging apps.
The examples act as a download, dropping the lineage edition of the Truesight drivers, as well as the next-stage cargo that replicates common file types, such as PNG, JPG, and GIF. The second-stage ransomware then proceeds to get another malware that, in change, lots the EDR-killer component and the Gh0st Mouse malware.
If the driver isn’t already installed on the system, Check Point explained that the variants of the legacy Truesight driver (version 2.0.2 ) can also be installed directly by the EDR/AV killer module.
This indicates that the EDR/AV criminal module can operate independently of the earlier phases even though it is fully integrated into the plan.
The unit uses the BYOVD approach to defraud the vulnerable driver in order to terminate processes involving particular security software. In doing so, the assault gains an advantage by deviating from the weed value-based Windows mechanism known as the , which is intended to shield the system against known susceptible drivers.
The attacks culminated with the implementation of a variation of Gh0st RAT called , which is designed to remotely control affected systems, giving attackers a way to do data theft, surveillance, and system manipulation.
As of December 17, 2024, Microsoft has updated the pilot blocklist to include the vehicle involved, effectively preventing the abuse matrix.
The attackers” by bypassing typical detection methods, including the most recent Microsoft Vulnerable Driver Blocklist and LOLDrivers monitoring mechanisms, by altering certain parts of the driver while preserving its electric signature,” according to Assess Point.
The EDR/AV criminal component “attempt and delete processes commonly associated with safety solutions,” according to the exploiter of the Arbitrary Process Termination vulnerability, further enhancing the campaign’s stealth.