- The Chinese threat group has abused a vulnerable anti-antigalon pilot to deactivate antivirus and EDR tools
- The attackers also operated a Zemana (ZAM.EXE) anti-Malware pilot for wider compatibility through Windows
- Researchers urge computer teams to update lists, use Yara rules and monitor suspicious activity
Silver Fox Chinese pirates have been seen abusing a Windows driver before reliable to deactivate antivirus protections and deploy malware on target devices.
The last driver to be mistreated in the secular attack “Bring Your Own Vulnerable Driver” is called the Antimalware of Guard De Garde, generally part of the safety solution of the same name.
It transports the name of AMSDK.SYS, version 1.0.600 being the vulnerable. Safety experts from Check Point Research (RCR), who found the problem, said that this driver was not previously listed as a problem, but was used in attacks against East Asia entities.
Malwowirs Enflux
In attacks, threat actors used the driver to end antivirus and EDR tools, after which they deployed Valleyrat.
This part of malware acts as a stolen door which can be used in cyber-espionage, for the arbitrary execution of orders, as well as the exfiltration of the data.
In addition, the RCR said that Silver Fox used a separate pilot, called Zam.exe (from the Zemana anti-Malware solution) to stay compatible between different systems, including Windows 7, Windows 10 and Windows 11.
The researchers did not discuss how the victims ended up with malicious software in the first place, but it is prudent to suppose a little phishing, where social engineering was at stake here. The crooks used an infrastructure located in China, to accommodate binaries of autonomous charger which included anti-analysis characteristics, persistence mechanisms, both of the above-mentioned engines, a list of safety processes coded hard that should be completed and the valley.
Check Point Research indicated that what started with the antimalware of guard dogs quickly evolved to include versions and additional types of drivers, all in order to avoid any detection.
Watchdog has published an update fixing the lack of local privilege, but the arbitrary termination of the process remains possible. Consequently, IT teams must ensure that the list of Microsoft pilot blocks are monitored, use Yara detection rules and monitor their network for suspicious traffic and / or another activity.
Via Infosecurity magazine
