- Chinese threat group abused a vulnerable WatchDog Antimalware driver to disable antivirus and EDR tools
- Attackers also leveraged a Zemana Anti-Malware driver (ZAM.exe) for broader compatibility across Windows
- Researchers are urging IT teams to update blocklists, use YARA rules, and monitor for suspicious activity
Chinese hackers Silver Fox have been seen abusing a previously trusted Windows driver to disable antivirus protections and deploy malware on target devices.
The latest driver to be abused in the age-old “Bring Your Own Vulnerable Driver” attack is called WatchDog Antimalware, usually part of the security solution of the same name.
It carries the filename amsdk.sys, with the version 1.0.600 being the vulnerable one. Security experts from Check Point Research (CPR), who found the issue, said this driver was not previously listed as problematic, but was used in attacks against entities in East Asia.
Evolving malware
In the attacks, the threat actors used the driver to terminate antivirus and EDR tools, after which they deployed ValleyRAT.
This piece of malware acts as a backdoor that can be used in cyber-espionage, for arbitrary command execution, as well as data exfiltration.
Furthermore, CPR said that Silver Fox used a separate driver, called ZAM.exe (from the Zemana anti-malware solution) to remain compatible between different systems, including Windows 7, Windows 10, and Windows 11.
The researchers did not discuss how victims ended up with the malware in the first place, but it is safe to assume a little phishing, or social engineering was at play here. The crooks used infrastructure located in China, to host self-contained loader binaries that included anti-analysis features, persistence mechanisms, both of the above-mentioned drivers, a hardcoded list of security processes that should be terminated, and ValleyRAT.
Check Point Research said that what started with WatchDog Antimalware quickly evolved to include additional versions, and types, of drivers, all with the goal of avoiding any detection.
WatchDog released an update fixing the local privilege flaw, however arbitrary process termination remains possible. Therefore, IT teams should make sure to monitor Microsoft’s driver blocklist, use YARA detection rules, and monitor their network for suspicious traffic and/or other activity.
