• Attackers are increasingly targeting vulnerabilities in drivers, which operate in kernel mode with the highest permissions, to bypass security measures and facilitate further infections.
  • To prevent the abuse of vulnerable drivers, Microsoft’s 2015 policy required new drivers to be signed to avoid exploitation. However, the policy allowed pre-2015 drivers to run. Attackers exploited this loophole using a legacy version of the driver Truesight.sys, which is known to have vulnerabilities in later versions.
  • To further evade detection, the attackers generated 2,500 variants of the 2.0.2 driver, each with different hashes, by modifying specific parts of the driver while keeping the digital signature valid, ensuring that if one variant was detected, the others would remain undetected.
  • Check Point Research reported the issue to the Microsoft Security Response Center, which subsequently updated the Microsoft Vulnerable Driver Blocklist. This update effectively blocked all variants of the legacy driver exploited in the campaign. Following the investigation, Microsoft added the legacy 2.0.2 version of the Truesight.sys driver to the Vulnerable Driver Blocklist.

In the increasingly complex world of Windows security, attackers find it harder to execute malicious code undetected. Consequently, they are now focusing on exploiting vulnerabilities in drivers—software components that run in the kernel mode with the highest permissions. When these drivers are compromised, they provide attackers with a pathway to bypass security measures and prepare for further infections.

In 2015, Microsoft created a policy that stopped new drivers from being loaded unless they had signed them to prevent their exploitation. However, they allowed drivers created before 2015 to run. As Check Point Research uncovered, attackers exploited this loophole and leveraged a legacy version of the driver, Truesight.sys, which was created before 2015. A part of Adlice’s cyber security product, Truesight.sys’s later versions are known to carry vulnerabilities and have been exploited in the wild.

The loophole led to a large-scale campaign where attackers slightly modified the legacy driver to change its file hash, creating 2,500 variants while maintaining a valid digital signature, enabling them to evade standard detection methods by terminating security products on the system. Distributed through phishing campaigns, the malware was deployed in the final stages of the attacks. It allowed attackers to completely control their victims’ devices, granting attackers unauthorized access to data theft, surveillance, and system manipulation.

This blog will explore how Check Point Research first identified the driver and how Microsoft overlooked it despite later versions being recognized. It will also examine the broader implications for defenders.

Truesight.sys Driver and Its Exploitation

A few months ago, Check Point Research developed a methodology for hunting not-known-to-be-vulnerable drivers. We investigated the hundreds of drivers we found with this method and, at first glance, found what seemed to be malicious code of the well-known vulnerable driver, Truesight.sys 3.4.0. We nearly overlooked the code, given that it’s already blocked due to its widespread abuse. While the driver itself is legitimate and often used for security purposes, it harbors a significant vulnerability in versions below 3.4.0. The vulnerability allows attackers to terminate processes from user mode—a critical flaw that can be exploited to disable antivirus or endpoint detection and response solutions.

However, further investigation revealed that the attackers used Truesight.sys version 2.0.2. While other versions, such as 3.3.0, have been publicly recognized and detected for exploitation, version 2.0.2 managed to evade detection for several months. The primary reason for this evasion was the version’s ability to bypass Microsoft’s Vulnerable Driver Blocklist and other detection mechanisms, such as the LOLDrivers project.

This legacy version retained the exact vulnerable code, allowing attackers to exploit the flaw while avoiding detection by modern blocklists – a clever approach to evading detection. Microsoft’s Vulnerable Driver Blocklist, which is designed to prevent the loading of known malicious drivers, failed to detect this specific version, exposing systems to attack. The attackers deliberately chose 2.0.2 because it contained vulnerable code and sidestepped common detection methods that targeted newer versions.

A Sophisticated Approach to Bypassing Detection

To further evade detection, the attackers employed advanced techniques to modify the 2.0.2 driver and generate over 2,500 unique variants. These variants were created by making subtle changes to parts of the driver’s Portable Executable (PE) structure, ensuring that each variant had a different hash. Despite these changes, the driver’s digital signature remained valid, making it appear legitimate and bypassing security checks. This way, the attackers ensured that traditional signature-based detection methods would be ineffective in preventing this threat. However, the attackers took things one step further; the variants were signed with valid certificates, enabling them to load on systems without triggering alarms from most security tools.

This level of sophistication shows that these attackers have a keen understanding of detection evasion, enabling them to bypass security protections and persist on infected systems for extended periods.

Attack Infrastructure

The attackers operated through the infrastructure of a public cloud’s China Region, a choice likely intended to provide the attackers with both more control and stability and potential evasion from law enforcement or cyber security agencies. Roughly 75% of the compromised machines were China-based organizations, with the remainder of the victims located in other parts of Asia, including Singapore and Taiwan.

The initial-stage samples that served as downloaders disguise themselves as familiar applications, often distributed through phishing methods, such as deceptive websites and phishing channels in popular messaging apps. One example of a misleading website that attracted visitors was offering “best buy” deals on luxury goods, as illustrated below.

Additionally, based on similarities in the initial-stage samples to previously attributed campaigns, and historical targeting patterns, we asses with medium-to-high confidence that this campaign is linked to Silver Fox.

Check Point Research reported this issue to the Microsoft Security Response Center, which then updated the Microsoft Vulnerable Driver Blocklist, effectively preventing all variants of the legacy driver from being exploited in this campaign. As a result of the investigation, Microsoft updated its Vulnerable Driver Blocklist to include the legacy 2.0.2 version of the Truesight.sys driver on December 17, 2024. This update effectively prevented all variants of the exploited driver from being loaded on Windows systems, offering crucial protection to users at risk.

Broader Implications and Recommendations

Moving beyond signature-based detection is becoming increasingly critical in stopping hard-to-detect threats. Behavioral analysis, heuristic scanning, and driver integrity checking can help identify suspicious driver activity, even when traditional blocklists do not flag the driver itself. Detecting the abuse of known vulnerable drivers is essential for mitigating known threats. A prevention-first security approach works to stop threats of this nature by detecting and deterring them before they ever can threaten your environment.

Proactively hunting for the exploitation of drivers that haven’t been recognized as vulnerable can result in essential breakthroughs, often bringing to light covert activities that have remained unnoticed for months or even years. This publication illustrates how research-based, forward-thinking detection rules can uncover concealed threats intended to avoid detection for prolonged durations.

Check Point Threat Emulation and Harmony Endpoint deliver extensive protection by encompassing a wide array of attack tactics, various file types, and multiple operating systems. Our advanced technology is designed to identify and neutralize sophisticated threats and attacks, ensuring robust security for organizations. By analyzing files before they are executed, these solutions safeguard against the evolving landscape of cyber threats outlined in this report, providing comprehensive defense and peace of mind for users and their critical data.

For a comprehensive report on the exploitation of the legacy driverTruesight.sys, read Check Point Research’s report here.

 

You may also like