- Check Point reveals larger hacking campaign targeting hundreds of thousands of devices
- The campaign geared a vulnerable but signed, Windows driver
- It enabled Crooks to disable antivirus programs and take over endpoints
A huge cyber criminal campaign has been viewed using outdated and vulnerable Windows drivers to insert malware against victims. The campaign comes from China and most of the victims are also located in China.
An in-depth article published by cybersecurity scientists Check Point said attackers identified a vulnerability in the Truesight.sys driver, version 2.0.2. This is an older version known to allow arbitrary processing.
Crooks created more than 2,500 unique variants of the driver to maintain his valid signature and thus avoid being picked up by antivirus programs.
Hundreds of thousands of victims
They then created their C2 infrastructure using servers located in China and hosted the vulnerable drivers. The victims would then be targeted through phishing and social engineering, offered false offers on luxury goods and the like. Once they have downloaded the vulnerable driver and the initial piece of malware, their security programs would be distant disabled and further payloads fell, giving attackers full control over infected machines.
Check Point did not say how many people were targeting, but suggested that the campaign was massive, which potentially hit hundreds of thousands of devices. While most of the victims (75%) are in China, the rest are spread across Asian regions such as Singapore, Taiwan and the like.
The first steps (setting up the infrastructure) were made in September 2024, the researchers explained, suggesting that the campaign is active for at least half a year. In mid -December last year, Microsoft updated his vulnerable driver Blocklist and prevented further exploitation of the defective driver.
The threat actor behind this campaign is probably a group called Silver Fox, an economically motivated group and not a state -sponsored match.
Check Point says the execution chain as well as tactics, techniques and procedures (TTP) look like a campaign in September 2024 that was attributed to Silver Fox. In addition, the group is known for using Chinese public cloud servers to host payload and C2, as well as to target victims in the Asian region.
