Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
- Check Point uncovers major hacking campaign, targeting hundreds of thousands of devices
- The campaign leveraged a vulnerable, but signed, Windows driver
- It allowed crooks to disable antivirus programs and take over endpoints
A huge cybercriminal campaign has been spotted utilizing outdated and vulnerable Windows drivers to deploy malware against victims. The campaign originated in China, and the majority of the victims are also located in China.
An in-depth article published by cybersecurity researchers Check Point said the attackers identified a vulnerability in the Truesight.sys driver, version 2.0.2. This is an older version, known to allow arbitrary process termination.
The crooks created more than 2,500 unique variants of the driver, to maintain its valid signature and thus avoid being picked up by antivirus programs.
Hundreds of thousands of victims
They then set up their C2 infrastructure using servers located in China, and hosted the vulnerable drivers. The victims would then be targeted through phishing and social engineering, being offered fake deals on luxury goods, and similar. Once they download the vulnerable driver and the initial piece of malware, their security programs would be remotely disabled, and additional payloads dropped, granting the attackers full control over infected machines.
Check Point did not say how many people were targeted, but suggested that the campaign was massive, potentially hitting hundreds of thousands of devices. While the majority of the victims (75%) are in China, the rest is spread across Asian regions such as Singapore, Taiwan, and similar.
The first steps (setting up the infrastructure) were made in September 2024, the researchers explained, hinting that the campaign is active for at least half a year. In mid-December last year, Microsoft updated its Vulnerable Driver Blocklist, preventing further exploitation of the flawed driver.
The threat actor behind this campaign is most likely a group called Silver Fox, a financially motivated group, and not a state-sponsored one.
Check Point says the execution chain, as well as tactics, techniques, and procedures (TTP) closely resemble a September 2024 campaign that was attributed to Silver Fox. What’s more, the group is known for using Chinese public cloud servers to host payloads and C2, as well as for targeting victims in the Asian region.
You might also like
Check Point uncovers major hacking campaign, targeting hundreds of thousands of devices The campaign leveraged a vulnerable, but signed, Windows driver It allowed crooks to disable antivirus programs and take over endpoints A huge cybercriminal campaign has been spotted utilizing outdated and vulnerable Windows drivers to deploy malware against victims.…
