Full Report
Highlights Introduction While the abuse of vulnerable drivers has been around for a while, those that can terminate arbitrary processes have drawn increasing attention in recent years. As Windows security continues to evolve, it has become more challenging for attackers to execute malicious code without being detected. As a result, the attackers often aim to […] The post Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign appeared first on Check Point Research.
Analysis Summary
# Tool/Technique: Truesight.sys Driver (Version 2.0.2) Abuse
## Overview
This refers to the large-scale abuse of the legacy version 2.0.2 of the `Truesight.sys` driver (RogueKiller Antirootkit Driver by Adlice) within an ongoing campaign to deploy an EDR/AV killer module. Attackers exploited a specific vulnerability in this version (affecting versions below 3.4.0) to gain elevated privileges, bypass security mechanisms, and terminate security processes. Over 2,500 distinct, validly signed variants of this specific version were observed being utilized.
## Technical Details
- Type: Vulnerable Driver / Exploit Payload
- Platform: Windows OS
- Capabilities: Arbitrary Process Termination, Kernel-level execution via driver loading, Evasion of blocklists.
- First Seen: Module detected in June 2024
## MITRE ATT&CK Mapping
This abuse primarily enables privilege escalation and defense evasion:
- TA0004 - Privilege Escalation
- T1204.002 - User Execution: Malicious File
- T1213 - Exploitation for Client Execution (Implied via process loading)
- TA0005 - Defense Evasion
- T1564.003 - Hide Artifacts: File Deletion (If used to clean up) or general bypass mechanisms.
- T1078.003 - Valid Accounts: Local Accounts (Gaining kernel-level capability bypasses user context restrictions)
## Functionality
### Core Capabilities
* **Privilege Escalation:** Exploiting the vulnerability in version 2.0.2 to load the driver and execute arbitrary code in kernel space.
* **Defense Disabling:** Used specifically to load an **EDR/AV killer module** to terminate security product components (Protected Processes/Protected Processes Light).
* **Bypass Mechanisms:** Version 2.0.2 specifically evaded the Microsoft Vulnerable Driver Blocklist and common detection mechanisms like the LOLDrivers project list, despite having known critical flaws.
### Advanced Features
* **Variant Generation:** Attackers created over 2,500 different variants of the signed 2.0.2 driver by modifying non-signature related PE parts, ensuring different file hashes while maintaining the valid digital signature.
* **Policy Loophole Exploitation:** Leveraging a Windows policy loophole (Exception in Driver Signing Policy) that allowed the legacy, unsigned-by-default (in modern contexts) driver to be loaded on newer Windows versions.
## Indicators of Compromise
* File Hashes: N/A (Over 2,500 variants observed)
* File Names: `Truesight.sys` (version 2.0.2 variants)
* Registry Keys: Not specified in the context provided.
* Network Indicators: Infrastructure hosted in a public cloud’s China region. C2 servers hosted on:
* `ot11[.]oss-cn-shanghai[.]aliyuncs[.]com`
* `7htoss[.]oss-cn-shanghai[.]aliyuncs[.]com`
* Behavioral Indicators: Loading of multiple, cryptographically valid-signed variants of `Truesight.sys` version 2.0.2. Process termination targeting security software components.
## Associated Threat Actors
Not explicitly named in the provided description, but associated with a large-scale campaign targeting victims primarily in China (approx. 75%). Final payloads included Gh0st RAT variants.
## Detection Methods
* **Signature-based detection:** A specific YARA rule was developed to target these variants:
yara
rule truesight_driver_64bit_ver202 {
meta:
description = "Detects all variants of the legacy, 64-bit, valid-signed Truesight driver, version 2.0.2"
author = "Jiri Vinopal @ Check Point Research"
condition:
// Detect PE
uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and
// Detect 64-bit Windows drivers
uint16(uint32(0x3C) + 0x5c) == 0x0001 and uint16(uint32(0x3C) + 0x18) == 0x020b and
// Detect InternalName "Truesight" and FileVersion "2.0.2"
pe.version_info["InternalName"] == "Truesight" and
pe.version_info["FileVersion"] == "2.0.2" and
// Detect only signed drivers, not a real verification
pe.number_of_signatures > 0 and
for all i in (0..pe.number_of_signatures -1): (pe.signatures[i].verified)
}
* **Behavioral detection:** Future-focused hunting rules designed to detect the *potential* abuse of not-yet-known-vulnerable drivers.
* **General Detection:** Traditional methods failed because the driver evaded the LOLDrivers project list and the existing Microsoft Vulnerable Driver Blocklist.
## Mitigation Strategies
* **Patching/Blocking:** MSRC updated the Microsoft Vulnerable Driver Blocklist (as of December 17, 2024) to effectively block all variants of the legacy `Truesight.sys` version 2.0.2 exploited in this campaign.
* **Driver Integrity Checks:** Implement strict driver verification beyond basic signature presence to ensure version and component integrity against known bad versions.
* **Advanced Hunting:** Deploy hunting rules to proactively identify potentially vulnerable or abused drivers that are not yet officially listed as vulnerable.
## Related Tools/Techniques
* Vulnerable Driver Exploitation (General technique)
* EDR/AV Killing techniques using kernel modules.
* Gh0st RAT (Final payload observed).
* DLL Side-loading and commercial protectors (Mentioned as other techniques used in the infection chain).