Chinese nation-State Group Exploits microsoft-Signed Driver to Bypass โWindows security
A โChinese nation-stateโ cyber group, tracked as Silver Fox, is actively exploitingโ a microsoft-signed driver to disable key Windows security features, researchers โขat Check Point have revealed. The group is abusing amsdk.sys, a driver for โthe WatchDog anti-malware โsoftware (version 1.0.600), to terminate protected processes onโ Windows 10โ and โ11 systems.
The exploited driver was not included โon Microsoft’sโ official Vulnerableโข Driver Blocklist, nor was โขit catalogued by the community-driven LOLDriversโฃ project, creating a significant blindโฃ spot that allowed the attackers to operate undetected.
According toโฃ Check Point’s research, the attackers deliver โคthe driver via a custom loaderโ that also contains a vulnerable driver for zemana โantivirus software and the ValleyRAT downloader. Thisโ loader first checks forโ the presence of virtual machinesโฃ and sandboxes before proceeding wiht installation.โค If theseโค checks โขpass,โ the loader installsโฃ the WatchDog driver and disables Windows’โ Protected Process Light (PPL) feature.
PPL, introduced in Windows 8.1, is designed to protect critical system processes – including antivirus, endpoint protection, โand core system โขservices – from being terminated or โคmodified by unauthorized code. By disabling PPL, Silverโ Foxโข can maintain โฃpersistence on compromised systems and evade detection by endpoint security solutions.”Windows automatically โฃtrusts Microsoft-signed code โคeven when vulnerable, โคallowing adversaries to exploit that trust to escalate privileges and evade monitoring,” researchers noted.
ValleyRAT, a remote access Trojan, is a key component of Silverโ Fox’s toolkit, enabling attackers to remotely control infected systems โand conduct long-termโ espionage andโ intrusion campaigns. Previously, Silver Fox has been linked toโฃ theโ use โof Gh0st RAT, another remote access โคTrojan sharing similar infrastructure and โคtargeting profiles.
Microsoft responded โto the vulnerability by โreleasing a patched driver, wamsdk.sys (version 1.1.100). Though,โ researchers found that the patch did โnot fullyโฃ resolve the issue, and the attackers quickly adapted byโ incorporating a modified version โคof the patched driver โinto โtheir ongoing campaign.
Theโ attackers circumvented defenses by altering a single byte โฃwithin โคthe driver’s Microsoft Authenticode signature’s unauthenticated timestamp field. This modification allowed them to bypass hash-based blocklists, โas the altered file no longer matched known signatures while โstill appearing legitimate to windows.
Check Point researchers are urging stronger validation of driver behaviorโค and improvements to driver blocklists to prevent the exploitation of vulnerable, signed drivers in the future.