Check Point Research (CPR) has uncovered a sophisticated cyber campaign leveraging a vulnerable Windows driver to disable security protections, evade detection, and deploy malicious payloads.
They identified a large-scale, ongoing attack campaign that abuses a legacy version of the Truesight.sys driver to disable endpoint detection and response (EDR) and antivirus (AV) solutions.
The attack, which has been active since at least June last year, has already produced more than 2,500 modified variants of the vulnerable driver, enabling attackers to bypass modern security mechanisms.
Exploiting a Security Loophole
CPR’s investigation revealed that the threat actors exploited the legacy version 2.0.2 of the Truesight driver to take advantage of a Windows policy loophole (Exception in Driver Signing Policy), enabling the driver to be loaded on the latest versions of Windows OS.
“Notably, the attackers specifically selected the 2.0.2 version because it retains the vulnerable code while also bypassing the latest Microsoft Vulnerable Driver Blocklist and common detection mechanisms, such as those introduced by the LOLDrivers project, none of which detect this version,” researchers said.
To evade detection even further, the malicious actors deliberately generated multiple variants—with different hashes—of the 2.0.2 driver by modifying specific PE parts while keeping the signature valid. “We detected over 2,500 validly signed variants of this driver,” CPR added.
Infrastructure and Scale
CPR found that the attackers hosted their command-and-control (C2) infrastructure on a public cloud provider’s China-based region, and a whopping three quarters (75%) of the victims are located in China, while others are spread across Singapore and Taiwan.
The attack begins with first-stage malware disguised as legitimate applications, often delivered via phishing websites and deceptive messaging app channels. Once installed, the malware downloads and loads the EDR/AV killer module, which prepares the infected system for the final payload. Many of these attacks ultimately deploy Gh0st RAT variants, a well-known remote access trojan (RAT) used for espionage and data theft.
Links to Known Threat Actors
While CPR did not conclusively attribute the campaign to a specific group, their findings share similarities with tactics used by the Silver Fox threat actor.
The attack’s execution chain, infrastructure choices, and targeting methods align with the group’s previously documented operations.
Proactive Hunting
Rooting out the abuse of known vulnerable drivers is key for mitigating known threats, said CPR. “However, proactively hunting for the abuse of drivers not yet identified as vulnerable can lead to significant discoveries, often uncovering stealthy operations that have been flying under the radar for months or even years. This publication demonstrates how research-driven, future-focused detection rules can reveal hidden threats designed to evade detection for extended periods.”
In this latest, large-scale campaign, the cybercriminals leveraged thousands of initial-stage malicious samples and exploited more than 2,500 distinct variants of the legacy Truesight driver. “By modifying specific parts of the driver while preserving its digital signature, they bypassed common detection methods, including the latest Microsoft Vulnerable Driver Blocklist and LOLDrivers detection mechanisms, allowing them to evade detection for months.”
This case brings home a key lesson, the researchers concluded. “Hash-based detection alone is not enough to identify sophisticated attacks. The attackers were able to modify the driver in ways that made hash-based checks ineffective, reinforcing the need for more comprehensive detection strategies.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
