A large-scale malware campaign has been found leveraging a vulnerable Windows driver associated with Adlice’s product suite to sidestep detection efforts and deliver the Gh0st RAT malware.
“To further evade detection, the attackers deliberately generated multiple variants (with different hashes) of the 2.0.2 driver by modifying specific PE parts while keeping the signature valid,” Check Point said in a new report published Monday.
The cybersecurity company said the malicious activity involved thousands of first-stage malicious samples that are used to deploy a program capable of terminating endpoint detection and response (EDR) software by means of what’s called a bring your own vulnerable driver (BYOVD) attack.
As many as 2,500 distinct variants of the legacy version 2.0.2 of the vulnerable RogueKiller Antirootkit Driver, truesight.sys, have been identified on the VirusTotal platform, although the number is believed to be likely higher. The EDR-killer module was first detected and recorded in June 2024.
The issue with the Truesight driver, an arbitrary process termination bug affecting all versions below 3.4.0, has been previously weaponized to devise proof-of-concept (PoC) exploits such as Darkside and TrueSightKiller that are publicly available since at least November 2023.
In March 2024, SonicWall revealed details of a loader called DBatLoader that was found to have utilized the truesight.sys driver to kill security solutions before delivering the Remcos RAT malware.
There is some evidence to suggest that the campaign could be the work of a threat actor called the Silver Fox APT due to some level of overlaps in the execution chain and the tradecraft employed, including the “infection vector, execution chain, similarities in initial-stage samples […], and historical targeting patterns.”
The attack sequences involve the distribution of first-stage artifacts that are often disguised as legitimate applications and propagated via deceptive websites offering deals on luxury products and fraudulent channels in popular messaging apps like Telegram.
The samples act as a downloader, dropping the legacy version of the Truesight driver, as well as the next-stage payload that mimics common file types, such as PNG, JPG, and GIF. The second-stage malware then proceeds to retrieve another malware that, in turn, loads the EDR-killer module and the Gh0st RAT malware.
“While the variants of the legacy Truesight driver (version 2.0.2) are typically downloaded and installed by the initial-stage samples, they can also be deployed directly by the EDR/AV killer module if the driver is not already present on the system,” Check Point explained.
“This indicates that although the EDR/AV killer module is fully integrated into the campaign, it is capable of operating independently of the earlier stages.”
The module employs the BYOVD technique to abuse the susceptible driver for the purpose of terminating processes related to certain security software. In doing so, the attack offers an advantage in that it bypasses the Microsoft Vulnerable Driver Blocklist, a hash value-based Windows mechanism designed to protect the system against known vulnerable drivers.
The attacks culminated with the deployment of a variant of Gh0st RAT called HiddenGh0st, which is designed to remotely control compromised systems, giving attackers a way to conduct data theft, surveillance, and system manipulation.
As of December 17, 2024, Microsoft has updated the driver blocklist to include the driver in question, effectively blocking the exploitation vector.
“By modifying specific parts of the driver while preserving its digital signature, the attackers bypassed common detection methods, including the latest Microsoft Vulnerable Driver Blocklist and LOLDrivers detection mechanisms, allowing them to evade detection for months,” Check Point said.
“Exploiting Arbitrary Process Termination vulnerability allowed the EDR/AV killer module to target and disable processes commonly associated with security solutions, further enhancing the campaign’s stealth.”
