Chinese advanced persistent threat group Silver Fox has tapped Microsoft-signed drivers to covertly install the modular ValleyRAT backdoor, reports Infosecurity Magazine.
Attacks against modern environments involved the use of a Microsoft-signed WatchDog Antimalware driver that allowed antivirus and endpoint detection and response tool process termination prior to the injection of ValleyRAT for surveillance and data theft, according to a Check Point Research analysis.
On the other hand, the Zemana-based driver was used by Silver Fox to compromise Windows 7 to Windows 11 systems. Additional findings revealed Silver Fox's use of an altered iteration of a patched WatchDog driver in intrusions.
"Our research reinforces the need for ongoing efforts of security vendors and users to stay vigilant against the emerging abuse of legitimate drivers. Proactive identification, reporting and patching of these vulnerabilities are critical to strengthening Windows systems against evolving threats leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques," said Check Point Research.
Attacks against modern environments involved the use of a Microsoft-signed WatchDog Antimalware driver that allowed antivirus and endpoint detection and response tool process termination prior to the injection of ValleyRAT for surveillance and data theft, according to a Check Point Research analysis.
On the other hand, the Zemana-based driver was used by Silver Fox to compromise Windows 7 to Windows 11 systems. Additional findings revealed Silver Fox's use of an altered iteration of a patched WatchDog driver in intrusions.
"Our research reinforces the need for ongoing efforts of security vendors and users to stay vigilant against the emerging abuse of legitimate drivers. Proactive identification, reporting and patching of these vulnerabilities are critical to strengthening Windows systems against evolving threats leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques," said Check Point Research.




