Threat Actors Exploiting Legacy Drivers to Bypass TLS Certificate Validation

Threat Actors Exploiting Legacy Drivers to Bypass TLS Certificate Validation

A sophisticated attack employing Legacy Driver Exploitation technique has emerged as a significant cybersecurity threat, according to a recent security report.

The attack, first documented in June 2024 by CheckPoint-Research (CPR), primarily focuses on remotely controlling infected systems using GhOstRAT malware while evading detection mechanisms.

The threat actors distribute malware through phishing sites and messaging applications, subsequently loading additional payloads using DLL side-loading techniques.

They utilize a modified TrueSight.sys driver to bypass Microsoft’s driver blocking system, enabling them to forcibly terminate security processes such as antivirus and endpoint detection and response (EDR) systems.

ASEC analysts identified that the core of this attack revolves around exploiting vulnerabilities in the TrueSight.sys driver, a component of the RogueKiller Antirootkit developed by Adlice Software.

Versions 3.4.0 and below contain a vulnerability allowing arbitrary process termination, which attackers leverage through the AVKiller tool.

While Microsoft added vulnerable TrueSight.sys versions to their Vulnerable Driver Blocklist, version 2.0.2.0 received an exemption as it was signed before July 29, 2015.

Attackers exploited this loophole by employing certificate area tampering to create multiple files masquerading as the legitimate TrueSight 2.0.2.0 version.

SSL Certificate Bypassing Technique

The attackers’ method involves modifying the padding area within the WIN_CERTIFICATE structure.

Certificate table information including the certificate details (Source – ASEC)

Windows does not validate this padding area during certificate verification, allowing tampered files to appear legitimately signed and successfully bypass validation through WinVerifyTrust.

Padding area of the WIN_CERTIFICATE area (Source – ASEC)

This technique relates to the CVE-2013-3900 vulnerability. Users can enhance protection by implementing the following registry settings:-

32bit
[HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyWintrustConfig] "EnableCertPaddingCheck"="1

64bit
[HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyWintrustConfig] "EnableCertPaddingCheck"="1
[HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftCryptographyWintrustConfig] "EnableCertPaddingCheck"="1
Certificate verification screen using signtool.exe (Source – ASEC)

Microsoft updated their Vulnerable Driver Blocklist on December 17, 2024, to address this threat. AhnLab V3 now detects the maliciously modified TrueSight.sys as Trojan/Win.VulnDriver.R695153.

Organizations should apply the latest security updates and conduct regular vulnerability analyses to protect against these sophisticated attacks targeting core system security components.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free


Source link