Chinese nation-State Group Exploits microsoft-Signed Driver to Bypass Windows security
A Chinese nation-state cyber group, tracked as Silver Fox, is actively exploiting a microsoft-signed driver to disable key Windows security features, researchers at Check Point have revealed. The group is abusing amsdk.sys, a driver for the WatchDog anti-malware software (version 1.0.600), to terminate protected processes on Windows 10 and 11 systems.
The exploited driver was not included on Microsoft’s official Vulnerable Driver Blocklist, nor was it catalogued by the community-driven LOLDrivers project, creating a significant blind spot that allowed the attackers to operate undetected.
According to Check Point’s research, the attackers deliver the driver via a custom loader that also contains a vulnerable driver for zemana antivirus software and the ValleyRAT downloader. This loader first checks for the presence of virtual machines and sandboxes before proceeding wiht installation. If these checks pass, the loader installs the WatchDog driver and disables Windows’ Protected Process Light (PPL) feature.
PPL, introduced in Windows 8.1, is designed to protect critical system processes – including antivirus, endpoint protection, and core system services – from being terminated or modified by unauthorized code. By disabling PPL, Silver Fox can maintain persistence on compromised systems and evade detection by endpoint security solutions.”Windows automatically trusts Microsoft-signed code even when vulnerable, allowing adversaries to exploit that trust to escalate privileges and evade monitoring,” researchers noted.
ValleyRAT, a remote access Trojan, is a key component of Silver Fox’s toolkit, enabling attackers to remotely control infected systems and conduct long-term espionage and intrusion campaigns. Previously, Silver Fox has been linked to the use of Gh0st RAT, another remote access Trojan sharing similar infrastructure and targeting profiles.
Microsoft responded to the vulnerability by releasing a patched driver, wamsdk.sys (version 1.1.100). Though, researchers found that the patch did not fully resolve the issue, and the attackers quickly adapted by incorporating a modified version of the patched driver into their ongoing campaign.
The attackers circumvented defenses by altering a single byte within the driver’s Microsoft Authenticode signature’s unauthenticated timestamp field. This modification allowed them to bypass hash-based blocklists, as the altered file no longer matched known signatures while still appearing legitimate to windows.
Check Point researchers are urging stronger validation of driver behavior and improvements to driver blocklists to prevent the exploitation of vulnerable, signed drivers in the future.
