{"id":2595,"date":"2025-09-01T21:52:34","date_gmt":"2025-09-01T21:52:34","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/09\/01\/silver-fox-exploits-signed-drivers-to-deploy-valleyrat-backdoor\/"},"modified":"2025-09-01T21:52:34","modified_gmt":"2025-09-01T21:52:34","slug":"silver-fox-exploits-signed-drivers-to-deploy-valleyrat-backdoor","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/01\/silver-fox-exploits-signed-drivers-to-deploy-valleyrat-backdoor\/","title":{"rendered":"Silver Fox Exploits Signed Drivers to Deploy ValleyRAT Backdoor"},"content":{"rendered":"<div id=\"cphContent_pnlMainContent\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A newly detected cyber campaign is exploiting trusted but vulnerable Windows drivers to bypass security protections and install a remote access tool.<\/p>\n<p>The operation, attributed by Check Point Research (CPR) to the Silver Fox APT group, highlights the risks of attackers exploiting Microsoft-signed drivers that were once considered safe.<\/p>\n<h2>Abusing Microsoft-Signed Drivers<\/h2>\n<p>At the center of the attack is the WatchDog Antimalware driver (amsdk.sys, version 1.0.600).<\/p>\n<p>Although signed by Microsoft and not previously listed as vulnerable, the driver was abused to terminate processes linked to antivirus and EDR tools, clearing the way for the deployment of ValleyRAT\u00a0\u2013\u00a0a modular backdoor capable of surveillance, command execution\u00a0and data exfiltration.<\/p>\n<p>Silver Fox also relied on an older Zemana-based driver (<em>ZAM.exe<\/em>) to maintain compatibility across systems ranging from Windows 7 to Windows 11.<\/p>\n<p>Both drivers allowed arbitrary process termination, enabling the attackers to disable even protected processes.<\/p>\n<p><em>Read more on Windows driver exploitation tactics: Vulnerability in Windows Driver Leads to System Crashes<\/em><\/p>\n<p>Researchers found that the group packed all elements into self-contained loader binaries.<\/p>\n<p>Each sample included:<\/p>\n<ul>\n<li>\n<p>Anti-analysis features<\/p>\n<\/li>\n<li>\n<p>Persistence mechanisms<\/p>\n<\/li>\n<li>\n<p>Two embedded drivers<\/p>\n<\/li>\n<li>\n<p>A hardcoded list of security processes to terminate<\/p>\n<\/li>\n<li>\n<p>A ValleyRAT downloader<\/p>\n<\/li>\n<\/ul>\n<p>The campaign quickly evolved, producing variants that used new drivers or altered versions of patched drivers to avoid detection.<\/p>\n<h2>Evasion and Attribution<\/h2>\n<p>One technique involved modifying a patched WatchDog driver (wamsdk.sys, version 1.1.100) by changing a single byte in its timestamp field. Because Microsoft\u2019s digital signature does not cover this field, the driver signature remained valid\u00a0yet appeared as a new file with a different hash.<\/p>\n<p>Infrastructure used in the attacks was traced to servers in China, while malware configurations specifically targeted security products popular in East Asia. These details, combined with the ValleyRAT payload, led to attribution to the Silver Fox APT.<\/p>\n<p>Although WatchDog released an update addressing local privilege escalation flaws, arbitrary process termination remains possible\u00a0leaving systems vulnerable.<\/p>\n<p>The CPR research stressed that signature and hash checks alone are insufficient. Security teams are advised to apply Microsoft\u2019s latest driver blocklist, use YARA detection rules and implement behavior-based monitoring to catch abnormal driver activity.<\/p>\n<p>\u201cOur research reinforces the need for ongoing efforts of security vendors and users to stay vigilant against the emerging abuse of legitimate drivers,\u201d\u00a0CPR wrote.<\/p>\n<p>\u201cProactive identification, reporting and patching of these vulnerabilities are critical to strengthening Windows systems against evolving threats leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques.\u201d<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A newly detected cyber campaign is exploiting trusted but vulnerable Windows drivers to bypass security protections and install a remote access tool. The operation, attributed by Check Point Research (CPR) to the Silver Fox APT group, highlights the risks of attackers exploiting Microsoft-signed drivers that were once considered safe. Abusing Microsoft-Signed Drivers At the center<\/p>\n","protected":false},"author":2,"featured_media":2596,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2595","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2595-b23f3a82-f16b-43e0-92c4-e747b0f981e9.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2595-b23f3a82-f16b-43e0-92c4-e747b0f981e9-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2595-b23f3a82-f16b-43e0-92c4-e747b0f981e9.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2595-b23f3a82-f16b-43e0-92c4-e747b0f981e9.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2595-b23f3a82-f16b-43e0-92c4-e747b0f981e9.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2595-b23f3a82-f16b-43e0-92c4-e747b0f981e9.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2595-b23f3a82-f16b-43e0-92c4-e747b0f981e9.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2595-b23f3a82-f16b-43e0-92c4-e747b0f981e9.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2595-b23f3a82-f16b-43e0-92c4-e747b0f981e9.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2595-b23f3a82-f16b-43e0-92c4-e747b0f981e9.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2595-b23f3a82-f16b-43e0-92c4-e747b0f981e9-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2595","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2595"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2595\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2596"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2595"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}