Full Report
1. Overview In June 2024, the security company CheckPoint-Research (CPR) published a post on a security threat that used the Legacy Driver Exploitation technique. This attack mostly focused on remotely controlling infected systems using the Gh0stRAT malware and causing additional damage. The threat actor distributed malware using a phishing site and messaging apps, and loaded […]
Analysis Summary
# Tool/Technique: Legacy Driver Exploitation using Modified TrueSight.sys
## Overview
This attack centers around the exploitation of a vulnerability in the legacy driver `TrueSight.sys` (versions prior to 3.4.0) to gain remote control over infected systems, primarily leveraging the Gh0stRAT malware. The actors bypassed Microsoft's driver blocking mechanisms by tampering with the digital signature of the vulnerable driver, allowing it to load and execute malicious code, ultimately disabling security products.
## Technical Details
- Type: Technique (Exploitation of Vulnerable Driver)
- Platform: Windows
- Capabilities: Bypassing driver blocklisting, terminating security processes (AV/EDR), remote code execution via Gh0stRAT.
- First Seen: Attack observed/reported June 2024; Vulnerability related to techniques from 2013/2014.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- TA0005 - Defense Evasion
- T1548.002 - Bypass User Account Control
- T1218 - Signed Binary Proxy Execution
- T1218.011 - System Binary: Windows Management Instrumentation
- T1218.015 - Signed Driver
- TA0003 - Persistence
- TA0004 - Privilege Escalation
- T1068 - Exploitation for Privilege Escalation
- T1068.004 - DLL Sideloading
*(Note: Direct mapping for the specific certificate modification technique used on the driver is complex, but it primarily serves the purpose of T1218 and T1548 to achieve Defense Evasion.)*
## Functionality
### Core Capabilities
- **Driver Exploitation:** Utilizing known vulnerabilities in `TrueSight.sys` (from Adlice Software's RogueKiller Antirootkit) to terminate arbitrary processes, including AV and EDR services.
- **Malware Distribution:** Initial access achieved via phishing sites and messaging applications.
- **Payload Delivery:** Loading additional payloads using the DLL side-loading technique.
- **Security Disablement:** Forcibly terminating security software processes.
### Advanced Features
- **Certificate Verification Bypass:** Tampering with the padding area of the `WIN_CERTIFICATE` structure in the PE file header. This manipulation fools Windows' `WinVerifyTrust` function into validating the driver as legitimately signed, despite modification, effectively bypassing the Microsoft Vulnerable Driver Blocklist check for older, unblocked versions (specifically version 2.0.2.0 signed before July 29th, 2015).
- **Vulnerable Driver Reuse:** Leveraging a specific older version of a legitimate driver (`TrueSight.sys` 2.0.2.0) that was exempt from the blocklist due to its signing date.
- **Relation to CVE-2013-3900:** The core certificate manipulation technique is related to flaws addressed by MS13-098, where modifying certificate table size/header information could bypass validation.
## Indicators of Compromise
- File Hashes:
- MD5: `05c6c1a7f714aee24118b1ed5471dcfb`, `08778920cbe7ea998fd31db4eb504fe9`, `097adb6f2627e52746ca2b47839e27aa`, `12f762403dd2eadd0d4f58c4bd31059c`, `1889f580de1d9385eb9e81ba6e2b26cb`
- File Names: `TrueSight.sys` (modified version 2.0.2.0)
- Registry Keys:
- `HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config`: Setting `EnableCertPaddingCheck` to "1" to enhance validation (Mitigation, not IOC).
- `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config`: Setting `EnableCertPaddingCheck` to "1" (Mitigation, not IOC).
- Network Indicators:
- `http[:]//19nsoo[.]oss-cn-beijing[.]aliyuncs[.]com/`
- `http[:]//2uuo9s[.]oss-cn-beijing[.]aliyuncs[.]com/`
- `http[:]//3syd1z[.]oss-cn-beijing[.]aliyuncs[.]com/`
- `http[:]//662hfg[.]oss-cn-beijing[.]aliyuncs[.]com/`
- `http[:]//fyge20[.]oss-cn-beijing[.]aliyuncs[.]com/`
- Behavioral Indicators:
- Execution of `AVKiller` tool.
- Dynamic loading of `Gh0stRAT`.
- Process termination targeting security products (AV/EDR).
## Associated Threat Actors
- Threat Actor(s) utilizing Gh0stRAT and known to employ advanced driver exploitation techniques (specific named groups not provided in the text, but associated with attacks exploiting vulnerable signed drivers).
## Detection Methods
- Signature-based detection: AhnLab V3 detects the malicious driver as `Trojan/Win.VulnDriver.R695153`.
- Behavioral detection: Monitoring for process termination attempts targeting security software.
- YARA rules: (Not explicitly provided, but signatures for the specific file hashes or modifications to the PE header structure could be created).
## Mitigation Strategies
- Prevention measures: Promptly applying the latest security updates from Microsoft to ensure vulnerable drivers are blocked via the Vulnerable Driver Blocklist (which was updated on Dec 17, 2024, to include variants of the malicious driver).
- Hardening recommendations:
- Actively using security solutions (like EDR/AV) configured to detect malicious driver loading or process termination.
- Enforcing stricter certificate validation by setting the registry key `EnableCertPaddingCheck` to "1" under the Wintrust configuration paths (especially critical for mitigating CVE-2013-3900 derived attacks).
- Conducting regular security checks and vulnerability analyses focusing on legacy or untrusted drivers present on the system.
## Related Tools/Techniques
- **Malware:** Gh0stRAT
- **Tool:** AVKiller (used to exploit the driver vulnerability)
- **Driver:** TrueSight.sys (vulnerable component)
- **Vulnerability Context:** CVE-2013-3900, MS13-098
- **Related Technique:** DLL Side-loading