The threat actor known as Silver Fox has been identified as exploiting the WatchDog antimalware driver, specifically version 1.0.600 of amsdk.sys, to compromise various systems in East Asia. This driver, trusted due to its origin from legitimate software, was leveraged to disable antivirus and Endpoint Detection and Response (EDR) systems, allowing attackers to implant their ValleyRAT malware unhindered.
Attack Strategy and Execution
Silver Fox's modus operandi involved using the driver to terminate security processes on the targeted devices. The vulnerability exploited allowed them to open backdoors, providing a gateway for the remote execution of commands and data theft. ValleyRAT, the malware of choice in these operations, enabled Silver Fox to maintain control over compromised devices effectively.
Additionally, to ensure their attack could span across various Windows platforms, Silver Fox made use of another anti-malware driver from Zemana, known as ZAM.exe. This strategic move ensured the compatibility and efficacy of their tools across different system configurations.
Delivery and Deployment
According to Check Point Research, the attackers have been identified as leveraging a robust infrastructure based in China to host their self-contained loader binaries. These loaders not only incorporated anti-analysis features to evade detection but were also equipped with persistence mechanisms. Integral to this setup were both the WatchDog and Zemana drivers, alongside a hardcoded registry of security processes marked for termination.
The attack vector likely followed through traditional means such as phishing or social engineering, methods commonly employed to gain initial access to the systems by deceiving unsuspecting users.
Preventive Measures and Recommendations
In response to these sophisticated attacks, WatchDog has released an update addressing the local privilege escalation flaw present in the driver. However, it is important to note that the risk of arbitrary process termination remains a concern. To counteract this vulnerability, Check Point Research has recommended several key measures that IT departments should adopt.
- First, updating driver blocklists is crucial to prevent the exploitation of such vulnerabilities.
- Second, deploying YARA detection rules will aid in identifying and mitigating threats quickly.
- Lastly, continuous monitoring of networks and endpoints for signs of suspicious activity and traffic is advised, ensuring that any anomalies are detected and nullified promptly.
By implementing these strategies, organizations can bolster their defenses against cyber threats similar to those orchestrated by Silver Fox, safeguarding their critical systems and sensitive data from being compromised.
