Top Highlights
- Silver Fox is deploying a sophisticated BYOVD attack using a signed, vulnerable driver ("amsdk.sys") from WatchDog Anti-malware to disable endpoint protections and facilitate malware deployment.
- The campaign leverages dual-driver strategies and exploits nullified driver signatures through minimal byte modifications, bypassing detection and rainbow table blocklists.
- The primary payload, ValleyRAT, provides remote access, with the entire operation employing anti-analysis, embedded drivers, and anti-AV techniques to evade detection.
- Active since late 2022, Silver Fox targets Chinese victims via fake websites, phishing, and malicious software, with sub-groups focusing on financial fraud, data theft, and account hijacking for profit.
Underlying Problem
The cyber threat actor known as Silver Fox has orchestrated a sophisticated attack targeting Windows systems by exploiting a previously unknown vulnerability in the WatchDog Anti-malware driver, specifically the “amsdk.sys” (version 1.0.600). This driver, signed by Microsoft and built on Zemana Anti-Malware SDK, was manipulated through a Bring Your Own Vulnerable Driver (BYOVD) strategy to disable security defenses, facilitating malware deployment without detection. The attackers employed a dual-driver approach, using different vulnerable drivers for Windows 7 and Windows 10/11, and exploited the driver’s flaws—such as arbitrary process termination and privilege escalation—to bypass safeguards. Following the discovery, Microsoft issued a patch that subtly altered the driver’s signature to evade detection, exemplifying the threat actor’s adaptability. The group, dubbed Silver Fox or SwimSnake, has been active since late 2022, primarily targeting Chinese-speaking victims with fake websites and trojanized software to deliver remote access tools like ValleyRAT, which grants unauthorized control over infected machines for spying, stealing secrets, and financial fraud. This reporting underscores a growing trend among cybercriminals to weaponize legitimate, signed drivers with unknown vulnerabilities, highlighting an evolving threat landscape that combines technical sophistication with strategic evasion tactics.
The story, reported by cybersecurity firm Check Point and corroborated by Chinese and global cybersecurity agencies, reveals Silver Fox’s broad operational scope, which includes targeting financial institutions and individuals through phishing, malware, and social engineering, often leveraging legitimate cloud services to hide malicious activities. The attackers have also been involved in an internal sub-campaign targeting enterprise financial personnel, aiming to exfiltrate sensitive data and conduct financial fraud via social media manipulations within their broader espionage and cybercrime framework. This detailed account illustrates how threat groups like Silver Fox adapt and evolve their tactics to exploit both known and unknown vulnerabilities, emphasizing the need for vigilant, multi-layered cybersecurity defenses.
Risks Involved
The cyber threat posed by Silver Fox, a highly active and resourceful hacking group, exemplifies the evolving sophistication of modern cyber risks, particularly through the exploitation of signed but vulnerable drivers like amsdk.sys associated with WatchDog Anti-malware, to disable endpoint security and facilitate malware deployment such as ValleyRAT. These attacks leverage a dual-driver strategy to bypass threat detection on different Windows versions, utilizing undetected, signed drivers with known vulnerabilities—capable of process termination and privilege escalation—to disarm security measures stealthily. The malware’s anti-analysis techniques further enhance its resilience, while the attacker’s agile adaptation—altering driver signatures post-patch—demonstrates the persistent challenge in defending against signature-based and zero-day exploits. Silver Fox’s operations, including financially driven campaigns targeting Chinese-speaking victims through phishing, trojanized software, and cloud-hosted malicious payloads, underscore the danger of such well-coordinated, clandestine activities that not only threaten individual and organizational data integrity but also enable financial theft and espionage, thereby exposing critical vulnerabilities in existing cybersecurity defenses.
Possible Action Plan
Prompt detection and rapid response are crucial to prevent widespread damage and protect sensitive systems when dealing with sophisticated exploits like the Silver Fox utilizing a Microsoft-signed WatchDog driver to deploy ValleyRAT malware. Prompt action minimizes potential data breaches, system compromise, and long-term vulnerabilities.
Mitigation Steps:
- Isolate affected systems
- Disable suspicious drivers
Remediation Strategies:
- Conduct a comprehensive malware scan
- Remove malicious files and drivers
- Apply security patches and updates
- Review and strengthen endpoint security policies
- Monitor network traffic for anomalies
- Conduct user awareness and training sessions
Continue Your Cyber Journey
Discover cutting-edge developments in Emerging Tech and industry Insights.
Explore engineering-led approaches to digital security at IEEE Cybersecurity.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
