- Check Point discovers an important piracy campaign, aimed at hundreds of thousands of devices
- The campaign took advantage of a vulnerable, but signed controller, from Windows
- Allowed criminals to disable antivirus programs and the end points were made
A large cybercriminal campaign has been seen using outdated and vulnerable Windows drivers to implement malware against victims. The campaign originated in China, and most victims are also in China.
An in -depth article published by cybersecurity researchers, Check Point, said the attackers identified a vulnerability in the TRUESIGHT.SYS controller, version 2.0.2. This is an earlier version, known for allowing the arbitrary termination of the process.
The criminals created more than 2,500 unique driver variants, to maintain their valid signature and, therefore, avoid being collected by the antivirus programs.
Hundreds of thousands of victims
They then established their C2 infrastructure using servers located in China, and organized vulnerable drivers. The victims would go through Phishing and Social Engineering, false offers on luxury and similar items are offered. Once they discharge the vulnerable controller and the initial piece of malware, their security programs would be remotely disabled, and additional charges decreased, giving the attackers the total control over infected machines.
Check Point did not say how many people were attacked, but suggested that the campaign was massive, potentially reaching hundreds of thousands of devices. While most victims (75%) are in China, the rest extends through Asian regions such as Singapore, Taiwan and the like.
The first steps (establishing the infrastructure) were carried out in September 2024, the researchers explained, insinuating that the campaign is active for at least half a year. In mid -December last year, Microsoft updated its vulnerable controller block list, avoiding greater exploitation of the defective controller.
The threat actor behind this campaign is probably a group called Silver Fox, a financial motivation group and not sponsored by the State.
Check Point says that the execution chain, as well as tactics, techniques and procedures (TTP) are very similar to a September 2024 campaign that was attributed to Silver Fox. In addition, the group is known for using Chinese public cloud servers to house useful loads and C2, as well as attacking victims in the Asian region.
