Huge Cyberattack Found Hitting Vulnerable Microsoft-Signed Legacy Drivers
A massive cybercriminal campaign has been discovered, utilizing outdated and vulnerable Windows drivers to deploy malware against unsuspecting victims. The attack originated in China, with the majority of the targeted individuals also located within the country.
The Campaign: A Complex Web of Malware and Deception
According to a recent report by cybersecurity researchers Check Point, the attackers identified a vulnerability in the Truesight.sys driver, version 2.0.2. This older version is known to allow arbitrary process termination, making it a prime target for malicious actors.
The crooks created over 2,500 unique variants of the driver, designed to maintain its valid signature and avoid detection by antivirus programs. They set up their Command and Control (C2) infrastructure using servers located in China, hosting the vulnerable drivers online. The victims were then targeted through phishing and social engineering tactics, being lured into downloading the malicious software with fake deals on luxury goods and other enticing promises.
The Attackers' Methodology
Once a victim downloaded the vulnerable driver and the initial piece of malware, their security programs would be remotely disabled, allowing the attackers to drop additional payloads. This granted the attackers full control over infected machines, making it nearly impossible for victims to detect or recover from the attack.
The Scope of the Campaign
Check Point estimates that the campaign may have targeted hundreds of thousands of devices, with the majority of victims (75%) located in China. The rest of the affected regions include Singapore, Taiwan, and others across Asia.
The first steps of the campaign were made in September 2024, suggesting that the attack has been ongoing for at least half a year. However, Microsoft's recent update to its Vulnerable Driver Blocklist may have prevented further exploitation of the flawed driver.
The Likely Culprits: Silver Fox
According to Check Point, the threat actor behind this campaign is most likely a group called Silver Fox, a financially motivated group rather than a state-sponsored one. This group is known for using Chinese public cloud servers to host payloads and C2 infrastructure, as well as targeting victims in the Asian region.
The execution chain, tactics, techniques, and procedures (TTP) used by this campaign closely resemble those of a September 2024 campaign attributed to Silver Fox. This suggests that the attackers are likely familiar with each other's methods and have been using similar tactics to deceive their victims.
Conclusion
The recent cyberattack targeting vulnerable Microsoft-signed legacy drivers serves as a stark reminder of the ongoing threat landscape in the world of cybersecurity. As technology continues to evolve, so too do the tactics employed by malicious actors. It is essential for individuals and organizations alike to remain vigilant and take proactive measures to protect themselves from such attacks.