"The threat actor known as Silver Fox has been attributed to abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver ( BYOVD) attack aimed at disarming security solutions installed on compromised hosts. The vulnerable driver in question is "amsdk.sys" (version 1.0.600), a 64-bit, validly signed Windows kernel device driver that's assessed to be built upon Zemana Anti-Malware SDK."
""This driver, built on the Zemana Anti-Malware SDK, was Microsoft-signed, not listed in the Microsoft Vulnerable Driver Blocklist, and not detected by community projects like LOLDrivers," Check Point said in an analysis. The attack is characterized by a dual-driver strategy, where a known vulnerable Zemana driver ("zam.exe") is used for Windows 7 machines, and the undetected WatchDog driver for systems that run on Windows 10 or 11."
Silver Fox exploited a previously unknown vulnerable driver, amsdk.sys (v1.0.600), a Microsoft-signed 64-bit WatchDog Anti-malware kernel driver built on the Zemana Anti-Malware SDK. The campaign uses a dual-driver BYOVD strategy, deploying a known vulnerable Zemana driver (zam.exe) for Windows 7 and the undetected WatchDog driver for Windows 10/11 to evade detection. The WatchDog driver allows termination of arbitrary processes without PP/PPL verification and enables local privilege escalation to access the driver's device. An all-in-one loader carries anti-analysis measures, two embedded drivers, antivirus-killer logic, and a ValleyRAT DLL downloader to neutralize endpoint protections and enable persistence.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]