A sophisticated campaign by the Silver Fox APT group that exploits a previously unknown vulnerable driver to bypass endpoint detection and response (EDR) and antivirus solutions on fully updated Windows 10 and 11 systems.
Check Point Research (CPR) revealed on August 28, 2025, that the advanced persistent threat group has been leveraging the WatchDog Antimalware driver (amsdk.sys version 1.0.600) to terminate protected processes and evade modern security solutions.
This Microsoft-signed driver, built on the Zemana Anti-Malware SDK, was not listed in Microsoft’s Vulnerable Driver Blocklist and remained undetected by community security projects.
The Silver Fox APT employed a dual-driver approach to ensure compatibility across different Windows versions.
For legacy systems like Windows 7, attackers used the known vulnerable Zemana driver that is already blocked by security measures.
However, for modern Windows 10 and 11 environments, they deployed the undetected WatchDog driver, which maintained a valid Microsoft signature and bypassed traditional detection mechanisms.
The campaign centers around all-in-one loader samples that combine multiple malicious components into a single executable.
These loaders incorporate anti-analysis features, two embedded vulnerable drivers, custom logic for terminating security processes, and the ValleyRAT downloader module.
The attackers designed these tools to function seamlessly across Windows 7 through Windows 11, adapting their approach based on the target system’s version.
Technical Implementation
Upon execution, the malware performs comprehensive anti-analysis checks including virtual machine detection, sandbox identification, and hypervisor recognition.
If these checks fail, the malware aborts execution and displays fake system error messages to avoid detection.
Interestingly, researchers discovered exclusions for specific computer names (DESKTOP-T3N3M3Q, DESKTOP-03AMF90, and WIN-VMHH95J6C26) that allow execution to continue, likely systems used during malware development.
The persistence mechanism involves creating a “RunTime” folder under C:Program FilesRunTime, where the loader and appropriate vulnerable driver are stored as RuntimeBroker.exe and Amsdk_Service.sys respectively.
Two services are established: “Termaintor” maintains persistence for the loader, while “Amsdk_Service” configures the registry for driver loading.
The core vulnerability lies in the WatchDog Antimalware driver’s ability to terminate arbitrary processes without verifying protected process status.
The driver uses IoCreateDeviceSecure with a strong DACL (Discretionary Access Control List) but lacks the FILE_DEVICE_SECURE_OPEN flag, allowing even non-privileged users to communicate with the device through namespace manipulation.
Attackers exploit this by issuing specific Input/Output Control (IOCTL) commands: first registering their process with IOCTL_REGISTER_PROCESS (0x80002010), then terminating target security processes using IOCTL_TERMINATE_PROCESS (0x80002048). This approach effectively disables endpoint protection products that typically run as protected processes.
The campaign’s ultimate objective is delivering ValleyRAT (also known as Winos), a sophisticated Remote Access Trojan attributed to Silver Fox APT.
The service named Termaintor is responsible for maintaining persistence for the previously dropped copy of the all-in-one loader (RuntimeBroker.exe).
The malware communicates with command-and-control servers hosted in China using encrypted channels with XOR cipher encryption.
ValleyRAT provides comprehensive remote surveillance capabilities, command execution functionality, and data exfiltration tools.
The targeting pattern suggests a focus on Asian markets, particularly China, as evidenced by the hardcoded list of security processes commonly used in that region.
The malware is typically delivered through .rar archives containing executable files or dynamic-link libraries that exploit legitimate application side-loading techniques.
Vendor Response and Continued Threats
Following CPR’s disclosure, WatchDog released a patched driver (wamsdk.sys version 1.1.100) that addressed local privilege escalation vectors.
However, researchers noted that the patch failed to completely resolve the arbitrary process termination vulnerability, as it still lacked checks for protected processes.
Demonstrating remarkable adaptability, Silver Fox APT quickly incorporated a modified version of the patched driver into their ongoing campaign.
By altering a single byte in the unauthenticated timestamp field of the driver’s Microsoft Authenticode signature, attackers preserved the driver’s valid signature while generating a new file hash, effectively bypassing hash-based security blocklists.
This campaign represents a significant evolution in advanced persistent threat tactics, highlighting the growing trend of weaponizing signed-but-vulnerable drivers to circumvent endpoint protections.
The technique exposes critical limitations in current security approaches that rely heavily on signature-based and hash-based detection methods.
The attack demonstrates how threat actors are moving beyond known vulnerabilities to exploit previously unclassified drivers, creating blind spots in many defense mechanisms.
The successful use of a Microsoft-signed driver on fully updated systems underscores the sophistication of modern APT operations and their ability to operate within trusted computing environments.
Mitigations
Security experts recommend implementing layered defense strategies that extend beyond traditional detection methods.
Organizations should manually apply the latest Microsoft Vulnerable Driver Blocklist, as automatic updates occur infrequently. Behavior-based detection systems capable of identifying suspicious driver activity patterns are essential for catching novel exploitation techniques.
The campaign emphasizes the critical importance of proactive vulnerability identification and rapid patch deployment across the software supply chain.
Security vendors and users must maintain heightened vigilance against emerging abuse of legitimate drivers, as the boundaries between trusted and malicious code continue to blur in sophisticated APT operations.
This Silver Fox APT campaign serves as a stark reminder that even fully patched, modern Windows systems remain vulnerable to determined adversaries who exploit the fundamental trust relationships built into operating system security models.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
