1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • New malware exploits trusted Windows drivers to get around securi

    From TechnologyDaily@1337:1/100 to All on Tue Sep 2 17:45:09 2025
    New malware exploits trusted Windows drivers to get around security systems - here's how to stay safe

    Date:
    Tue, 02 Sep 2025 16:38:00 +0000

    Description:
    Silver Fox hackers exploit trusted Windows drivers to kill defenses and slip in ValleyRAT backdoors.

    FULL STORY ======================================================================Chinese threat group abused a vulnerable WatchDog Antimalware driver to disable antivirus and EDR tools Attackers also leveraged a Zemana Anti-Malware driver (ZAM.exe) for broader compatibility across Windows Researchers are urging IT teams to update blocklists, use YARA rules, and monitor for suspicious activity

    Chinese hackers Silver Fox have been seen abusing a previously trusted
    Windows driver to disable antivirus protections and deploy malware on target devices.

    The latest driver to be abused in the age-old Bring Your Own Vulnerable
    Driver attack is called WatchDog Antimalware, usually part of the security solution of the same name.

    It carries the filename amsdk.sys, with the version 1.0.600 being the vulnerable one. Security experts from Check Point Research (CPR), who found the issue, said this driver was not previously listed as problematic, but was used in attacks against entities in East Asia. Evolving malware

    In the attacks, the threat actors used the driver to terminate antivirus and EDR tools , after which they deployed ValleyRAT.

    This piece of malware acts as a backdoor that can be used in cyber-espionage, for arbitrary command execution, as well as data exfiltration.

    Furthermore, CPR said that Silver Fox used a separate driver, called ZAM.exe (from the Zemana anti-malware solution) to remain compatible between
    different systems, including Windows 7, Windows 10, and Windows 11.

    The researchers did not discuss how victims ended up with the malware in the first place, but it is safe to assume a little phishing, or social
    engineering was at play here. The crooks used infrastructure located in
    China, to host self-contained loader binaries that included anti-analysis features, persistence mechanisms, both of the above-mentioned drivers, a hardcoded list of security processes that should be terminated, and
    ValleyRAT.

    Check Point Research said that what started with WatchDog Antimalware quickly evolved to include additional versions, and types, of drivers, all with the goal of avoiding any detection.

    WatchDog released an update fixing the local privilege flaw, however
    arbitrary process termination remains possible. Therefore, IT teams should make sure to monitor Microsofts driver blocklist, use YARA detection rules, and monitor their network for suspicious traffic and/or other activity.

    Via Infosecurity Magazine You might also like Microsoft discovers five potentially damaging attacks against its own software Take a look at our
    guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/new-malware-exploits-trusted-windows-dr ivers-to-get-around-security-systems-heres-how-to-stay-safe


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)