In a concerning development within the cybersecurity landscape, the Chinese threat group known as Silver Fox has exploited a trusted Windows driver, specifically the WatchDog Antimalware driver, to disable antivirus and endpoint detection and response (EDR) tools. This tactic is part of a broader strategy known as “Bring Your Own Vulnerable Driver,” which has emerged as a significant vector for cyberattacks.
Exploiting Vulnerabilities for Broader Access
The Silver Fox group has not only targeted the WatchDog driver but has also utilized the Zemana Anti-Malware driver, identified as ZAM.exe, to ensure compatibility across various Windows operating systems, including Windows 7, 10, and 11. This dual-driver approach enhances their ability to infiltrate diverse environments, making their attacks more versatile and challenging to detect.
Researchers have noted that the initial entry point for victims remains speculative, with phishing or social engineering likely playing a role in the infection process. The attackers employed infrastructure based in China to host self-contained loader binaries, which were equipped with anti-analysis features and mechanisms for persistence. These loaders also contained hardcoded lists of security processes targeted for termination, facilitating the deployment of the ValleyRAT malware, a backdoor capable of cyber-espionage, arbitrary command execution, and data exfiltration.
According to Check Point Research, the exploitation of the WatchDog Antimalware driver has evolved, leading to the incorporation of various driver versions and types aimed at evading detection. In response to this threat, WatchDog has released an update addressing the local privilege escalation flaw; however, the potential for arbitrary process termination remains a concern.
To mitigate risks, IT teams are strongly advised to take proactive measures. This includes updating blocklists, implementing YARA detection rules, and closely monitoring network traffic for any suspicious activities. Vigilance in these areas is crucial to safeguarding systems against the evolving tactics employed by threat actors like Silver Fox.
