Full Report
A large-scale malware campaign has been found leveraging a vulnerable Windows driver associated with Adlice's product suite to sidestep detection efforts and deliver the Gh0st RAT malware. "To further evade detection, the attackers deliberately generated multiple variants (with different hashes) of the 2.0.2 driver by modifying specific PE parts while keeping the signature valid," Check Point
Analysis Summary
# Tool/Technique: truesight.sys / RogueKiller Antirootkit Driver
## Overview
A vulnerable legacy driver from Adlice's product suite, specifically version 2.0.2 of the RogueKiller Antirootkit Driver (`truesight.sys`), being weaponized via a Bring Your Own Vulnerable Driver (BYOVD) attack to terminate Endpoint Detection and Response (EDR) software and evade detection. Attackers created thousands of variants by modifying PE parts while keeping the original signature valid.
## Technical Details
- Type: Vulnerable Driver / Technique Implementation
- Platform: Windows
- Capabilities: Arbitrary process termination bug allows termination of security-related processes; modified variants evade signature-based detection.
- First Seen: PoC publicly available since at least November 2023; EDR-killer module detected in use since June 2024.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution
- T1218.011 - Bring Your Own Vulnerable Driver
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0003 - Persistence** (Implied via driver installation)
## Functionality
### Core Capabilities
- Exploiting an arbitrary process termination vulnerability (versions below 3.4.0).
- Terminating processes that run security software (EDR/AV).
- Bypassing the Microsoft Vulnerable Driver Blocklist, as the driver modification preserved the original valid signature.
### Advanced Features
- Generation of ~2,500 distinct malicious variants by modifying specific PE parts of driver version 2.0.2 while maintaining the valid digital signature for camouflage.
- Used as a core component in a multi-stage attack chain to pave the way for final malware deployment.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: `truesight.sys`
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: [Not explicitly provided for the driver itself, but used by first-stage samples]
- Behavioral Indicators: Installation and execution of the driver to terminate processes associated with security solutions.
## Associated Threat Actors
- Silver Fox APT (Suggested due to overlaps in execution chain and tradecraft)
- Actors utilizing DBatLoader (Previously used this driver to deliver Remcos RAT)
## Detection Methods
- Signature-based detection (Initially bypassed due to signed variants).
- Behavioral detection (Monitoring for arbitrary process termination targeting security software processes).
- YARA rules: [Not explicitly provided in the text]
## Mitigation Strategies
- Patching/Updating the driver to version 3.4.0 or newer to fix the arbitrary process termination bug.
- System hardening against BYOVD attacks.
- Monitoring for the installation and execution of known vulnerable drivers.
- Note: Microsoft updated the driver blocklist to include this driver as of December 17, 2024.
## Related Tools/Techniques
- Gh0st RAT (Final payload used in this specific campaign)
- HiddenGh0st (Variant of Gh0st RAT)
- Remcos RAT (Previously delivered using this driver)
- DBatLoader (Loader that previously utilized this driver)
- Darkside (Public PoC exploit using this driver)
- TrueSightKiller (Public PoC exploit using this driver)
***
# Tool/Technique: Gh0st RAT / HiddenGh0st
## Overview
A remote access Trojan (RAT) used in the final stage of the malware campaign. The specific variant deployed is referred to as HiddenGh0st, designed for comprehensive remote control over compromised systems.
## Technical Details
- Type: Malware Family (RAT)
- Platform: Windows
- Capabilities: Remote system control, data theft, surveillance, system manipulation.
- First Seen: Gh0st RAT is long-standing; HiddenGh0st noted recently.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0007 - Credential Access**
- T1003 - OS Credential Dumping
## Functionality
### Core Capabilities
- Establishing remote access to the compromised host.
- Executing arbitrary commands.
### Advanced Features
- Detailed surveillance and data theft capabilities typical of advanced RATs.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: [Not explicitly provided in the text]
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: [C2 communications for Gh0st RAT]
- Behavioral Indicators: Remote interactive control mechanisms.
## Associated Threat Actors
- Unspecified threat actor utilizing the BYOVD chain (potentially Silver Fox APT).
## Detection Methods
- Detecting network communication patterns consistent with Gh0st RAT C2.
- Signature checking for the final payload executable.
## Mitigation Strategies
- Strong network segmentation and egress filtering.
- Application control to restrict execution of unauthorized remote access tools.
## Related Tools/Techniques
- SilverFox APT (Associated group)
- BYOVD technique utilizing `truesight.sys` (Precursor step)