- The group of Chinese threats abused a vulnerable surveillance antimalware controller to disable antivirus and EDR tools
- The attackers also took advantage of a Zemana (Zam.exe) antimalware controller for wider compatibility in Windows
- Researchers urge IT teams to update block lists, use yara rules and monitor suspicious activities
Chinese computer pirates Silver Fox have been seen abusing a previously reliable Windows controller to disable antivirus protections and implement malware on destination devices.
The last driver who abused the old attack of “bringing his own vulnerable controller” is called Watchdog antimalware, usually part of the security solution of the same name.
It bears the AMSDK.SYS file name, with version 1.0.600 the vulnerable. Check Point Research security experts (CPR), who found the problem, said this driver did not appear as problematic, but was used in attacks against entities in East Asia.
Evolving malware
In the attacks, the threat actors used the driver to finish the antivirus and EDR tools, after which Valleyrat deployed.
This piece of malware acts as a back door that can be used in the cybernetic fan, for the execution of arbitrary commands, as well as the exfiltration of data.
In addition, CPR said Silver Fox used a separate controller, called Zam.exe (of the Zemana antimalware solution) to remain compatible between different systems, including Windows 7, Windows 10 and Windows 11.
The researchers did not discuss how the victims ended up with malware in the first place, but it is safe to assume some phishing or social engineering was at stake here. The criminals used infrastructure located in China, to house binaries of autonomous loaders that included anti-analysis characteristics, persistence mechanisms, the two drivers mentioned above, a list of coded security processes that should end and Valleyrat.
Check Point Research said that what began with the Watchdog antimalware evolved quickly to include additional versions and types of drivers, all with the aim of avoiding any detection.
Watchdog launched an update that solves the local privilege defect, however, the termination of the arbitrary process remains possible. Therefore, IT equipment must ensure monitoring the Microsoft driver’s block list, using Yara detection rules and monitoring their network for suspicious traffic and/or other activity.
Through Infosecurity magazine
