Check Point Research uncovered an ongoing campaign by the Silver Fox APT group exploiting a previously unknown vulnerable driver to evade endpoint protection. The attackers used a Microsoft-signed WatchDog Antimalware driver to terminate protected processes on fully updated Windows systems. A dual-driver strategy ensured compatibility across Windows versions. Following disclosure, the vendor released a patched driver, but attackers quickly adapted by modifying it to bypass blocklists while preserving its valid signature. The campaign delivered ValleyRAT as the final payload, demonstrating sophisticated evasion techniques and highlighting the growing trend of weaponizing signed-but-vulnerable drivers to bypass security measures. Author: AlienVault
Related Tags:
signature manipulation
kernel exploitation
driver abuse
T1553.006
process termination
T1574.006
edr evasion
T1218.011
T1562.002
Associated Indicators:
D24FFFC34E45C168EA4498F51A7D9F7F074D469C8D4317E8E2205C33A99B5364
BACCEA051DC6BB1731FA2BC97C5E0CC2CD37463E83BF73A400451AD7BA00A543
9E72B958B4AD9FDF64B6F12A89EB2BAE80097A65DC8899732BCE9DAFDA622148
B26AECC21DA159C0073ECDE31CC292D87C8674AF8C312776D2CC9827E5C1AD6A
2F0E34860194CCD232F7C8C27FEFE44C96B63468E8581F93C38767725255F945
09587073ACBFEC909EEA69AA49774B3FDAA681DB9CEC7CB20A4143050897C393
57F37BC0519557CF3F4C375FD04900A4D5AFB82E3B723C6B9D0F96DC08EEA84D
5F23694D44850C1963B38D8EAB638505D14C5605E9623FB98E9455795FA33321
35CCB9C521C301E416A3EA0C0292AE93914FE165EB45F749C16DE03A99F5FA8E