A large-scale malware campaign has been discovered utilizing a vulnerable Windows driver associated with Adlice’s product suite to evade detection and deliver the Gh0st RAT malware.
According to Check Point, the attackers have generated multiple variants of the 2.0.2 driver by modifying specific parts of the PE while maintaining the signature’s validity, allowing them to evade detection.
The malicious activity involves thousands of first-stage malware samples that deploy a program capable of terminating endpoint detection and response (EDR) software using a bring your own vulnerable driver (BYOVD) attack.
As many as 2,500 distinct variants of the vulnerable RogueKiller Antirootkit Driver, truesight.sys, have been identified on the VirusTotal platform, with the number likely being higher. The EDR-killer module was first detected in June 2024.
The issue with the Truesight driver, an arbitrary process termination bug affecting versions below 3.4.0, has been previously weaponized to devise proof-of-concept (PoC) exploits such as Darkside and TrueSightKiller, publicly available since at least November 2023.
In March 2024, SonicWall revealed details of a loader called DBatLoader that utilized the truesight.sys driver to kill security solutions before delivering the Remcos RAT malware.
There is evidence suggesting the campaign could be the work of the Silver Fox APT due to overlaps in the execution chain and tradecraft employed.
The attack sequences involve distributing first-stage artifacts disguised as legitimate applications, propagated via deceptive websites and fraudulent channels in popular messaging apps like Telegram.
The samples act as a downloader, dropping the legacy version of the Truesight driver and the next-stage payload, which mimics common file types such as PNG, JPG, and GIF. The second-stage malware then retrieves another malware that loads the EDR-killer module and the Gh0st RAT malware.
“The variants of the legacy Truesight driver (version 2.0.2) are typically downloaded and installed by the initial-stage samples, but they can also be deployed directly by the EDR/AV killer module if the driver is not already present on the system,” Check Point explained.
“This indicates that although the EDR/AV killer module is fully integrated into the campaign, it is capable of operating independently of the earlier stages.”
The module employs the BYOVD technique to abuse the susceptible driver for terminating processes related to certain security software, bypassing the Microsoft Vulnerable Driver Blocklist.
The attacks culminated with the deployment of a variant of Gh0st RAT called HiddenGh0st, designed to remotely control compromised systems, enabling data theft, surveillance, and system manipulation.
As of December 17, 2024, Microsoft has updated the driver blocklist to include the driver in question, effectively blocking the exploitation vector.
Check Point noted, “By modifying specific parts of the driver while preserving its digital signature, the attackers bypassed common detection methods, including the latest Microsoft Vulnerable Driver Blocklist and LOLDrivers detection mechanisms, allowing them to evade detection for months.”
“Exploiting the Arbitrary Process Termination vulnerability allowed the EDR/AV killer module to target and disable processes commonly associated with security solutions, further enhancing the campaign’s stealth.”
