Hackers have weaponized the TrueSight driver to disable Windows security tools before deploying ransomware and malware. This wide-scale attack involves bypassing protections to disable endpoint detection and response (EDR) and antivirus solutions across Windows systems, using legitimate drivers named truesight.sys from Adlice Software.
Massive Driver Abuse
Researchers from Check Point and MagicSword have noted the exploitation of TrueSight drivers has become a common strategy among various threat groups. The campaign uses over 2,500 signed driver variants to evade detection. Despite being signed with legacy certificates, these drivers run with full privileges, disabling security systems in the process. Affected systems include modern Windows 11 machines, where the drivers, when loaded, terminate key security processes without raising alerts.
Global Reach and Methodology
The abuse of TrueSight is not limited to one group or region. Both financially motivated attackers and advanced persistent threat (APT) groups are employing the method to deliver ransomware and remote access Trojans. Attackers initiate the attack typically through phishing, leading to a disguised installer that downloads additional malicious components. The malicious module disables over 200 security products, including Microsoft Defender and Kaspersky, by installing the TrueSight driver as a Windows service. The method allows attackers to execute ransomware with little to no resistance within 30 minutes of initial infiltration.
Impact on Enterprises
The technique's effectiveness is enhanced by the large number of signed driver variants and its high evasion rate against traditional antivirus solutions. This represents a significant risk for enterprises, as the driver can be used to terminate security processes swiftly, enabling the deployment of ransomware such as HiddenGh0st, often going unnoticed until after encryption or data exfiltration.
