- The control point discovers a large hacking campaign, targeting hundreds of thousands of devices
- The campaign has exploited a vulnerable, but signed pilot, Windows
- It allowed the crooks to disable antivirus programs and to support the termination points
A huge cybercriminal campaign has been spotted using obsolete and vulnerable Windows pilots to deploy malware against victims. The campaign is from China and the majority of victims are also located in China.
An in -depth article published by Cybersecurity Researchers Check Point said that the attackers identified vulnerability in the Truesight.sys pilot, version 2.0.2. It is an older version, known to allow the arbitrary termination of the processes.
The crooks have created more than 2,500 unique driver variants, to maintain its valid signature and thus avoid being recovered by antivirus programs.
Hundreds of thousands of victims
They then set up their C2 infrastructure using servers located in China and welcomed vulnerable drivers. The victims would then be targeted by phishing and social engineering, offered fake offers on luxury and similar products. Once they have downloaded the vulnerable pilot and the first malicious software, their security programs would be disabled remotely and the additional useful charges have been abandoned, granting attackers a total control over infected machines.
Check Point did not say how many people have been targeted, but suggested that the campaign was massive, potentially struck by hundreds of thousands of devices. Although the majority of victims (75%) are in China, the rest is distributed in Asian regions such as Singapore, Taiwan and similar.
The first stages (implementation of the infrastructure) were carried out in September 2024, explained the researchers, suggesting that the campaign is active for at least half year. In mid-December of last year, Microsoft updated his list of vulnerable pilot blocks, preventing the additional operating of the defective driver.
The threat actor behind this campaign is probably a group called Silver Fox, a financially motivated group, and not sponsored by the State.
Check Point indicates that the execution chain, as well as tactics, techniques and procedures (TTP) closely resemble a campaign in September 2024 which was allocated to Silver Fox. In addition, the group is known to use Chinese public cloud servers to accommodate useful and C2 loads, as well as to target victims in the Asian region.
