- Chinese threat group abused a vulnerable watchdog -Antimalware -Driver to disable antivirus and EDR tools
- Attackers also utilized a Zemana Anti-Malware Driver (Zam.exe) for wider compatibility across Windows
- Researchers encourage IT -Teams to update Blocklists, use Yara rules and monitor for suspicious activity
Chinese Hackers Silver Fox has been seen abuse by a previously trusted Windows driver to disable antivirus protection and implement malware on target units.
The latest driver who is abused in the ancient “Bring Your Own Woundable Driver” attack is called watchdog antimalware, usually part of the security solution with the same name.
It carries the file name Amsdk.sys, where version 1.0,600 is the vulnerable. Security experts from Check Point Research (CPR), who found the problem, said this driver was not previously listed as problematic but was used in attacks against units in East Asia.
Development of malware
In the attacks, the threat actors used the driver to complete antivirus and EDR tools, after which the inmates Valleyrat.
This piece of malware acts as a back door that can be used in cyber espionage, for arbitrary command and data ex-filtration.
Furthermore, CPR said Silver Fox used a separate driver, called zam.exe (from Zemana Anti-Malware solution) to remain compatible between different systems including Windows 7, Windows 10 and Windows 11.
The researchers did not discuss how the victims ended up with malware in the first place, but it is safe to assume that there was little phishing, or social engineering was at stake here. Crooks used infrastructure located in China to host independent loading binaries that included anti-analysis functions, persistence mechanisms, both above-mentioned drivers, a hard-code list of safety processes to be completed and the valley.
Check Point Research said that what started with watchdog -Atimalware quickly evolved to include additional versions and types of drivers, all with the goal of avoiding any detection.
Watchdog released an update that fixes the local privilege error, but arbitrary processing residents remain possible. Therefore, the teams must make sure to monitor Microsoft’s driver -blocklist, use Yara Detection rules and monitor their network for suspicious traffic and/or other activity.
Via Infosecurity Magazine
