The sophisticated Silver Fox APT group has been observed employing a cunning tactic: exploiting a Microsoft-signed, yet vulnerable, driver to disable security measures on Windows systems. This allows them to deploy the potent ValleyRAT malware, also known as Winos, with greater ease and stealth.

Key Takeaways

• Silver Fox APT is using a Microsoft-signed driver (amsdk.sys v1.0.600) from WatchDog Anti-malware.

• This driver, previously unknown to blocklists, allows arbitrary process termination, disabling security software.

• The group uses a dual-driver strategy, employing a Zemana driver for older systems and the WatchDog driver for Windows 10/11.

• Attackers can bypass patches by altering a single byte in the driver's signature, maintaining its validity while changing its hash.

• The ultimate goal is to deploy ValleyRAT, a backdoor providing remote access and control.

Exploiting a Trusted Vulnerability

The core of this attack lies in the abuse of the "amsdk.sys" driver, a 64-bit kernel driver associated with WatchDog Anti-malware. This driver, built upon the Zemana Anti-Malware SDK, was signed by Microsoft and was not listed on Microsoft's Vulnerable Driver Blocklist or community projects like LOLDrivers. This lack of prior detection made it an ideal tool for the APT group.

Silver Fox employs a dual-driver strategy to ensure compatibility across different Windows versions. For older systems like Windows 7, they utilize a known vulnerable Zemana driver. For more modern Windows 10 and 11 machines, they leverage the newly discovered vulnerabilities within the WatchDog driver.

Disabling Defenses and Deploying ValleyRAT

The campaign's objective is to neutralize endpoint protection products, creating a clear path for malware deployment and persistence without triggering signature-based defenses. The WatchDog driver contains vulnerabilities that allow for arbitrary process termination without verifying if the process is protected, and also permits local privilege escalation.

The attacks feature an all-in-one loader that encapsulates anti-analysis features, the two embedded drivers, antivirus killer logic, and the ValleyRAT DLL downloader. This loader performs checks for virtual environments, sandboxes, and hypervisors, aborting execution if detected. Upon successful evasion, it communicates with a command-and-control (C2) server to fetch and install the ValleyRAT backdoor.

Evasion and Adaptation

Even after WatchDog released a patch to address some vulnerabilities, the Silver Fox APT group demonstrated remarkable adaptability. They modified the patched driver by altering a single byte in the unauthenticated timestamp field. This subtle change preserved the driver's valid Microsoft signature while generating a new file hash, effectively bypassing hash-based blocklists and maintaining the appearance of a trusted driver.

This campaign highlights a significant blind spot where attackers move beyond known weaknesses to weaponize previously unclassified, signed drivers. The exploitation of these drivers, combined with sophisticated evasion techniques like signature manipulation, presents a serious and evolving threat to Windows systems.

Sources

• Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware, The Hacker News.

• Silver Fox APT Exploits Signed Windows Driver to Deliver ValleyRAT, Hackread.

• Silver Fox Exploits Signed Drivers to Deploy ValleyRAT Backdoor, Infosecurity Magazine.

• Cyberattack Alert: Silver Fox APT Exploits Microsoft-Signed Driver For Malware, The420.in.

• How Silver Fox APT Exploits Driver Vulnerabilities to Slip Past Windows 10/11 Security Tools, Cyber Press.