Silver Fox APT Abuses Windows Driver in Active Campaign www.databreachtoday.com/silver-fo…

A Chinese nation-state cyber group is exploiting a Microsoft-signed driver to shut down Windows security protections.

Researchers at Check Point said the threat actor tracked as Silver Fox is abusing amsdk.sys, a WatchDog anti-malware driver, to terminate protected processes on Windows 10 and 11. The driver, version 1.0.600, is not on Microsoft’s official Vulnerable Driver Blocklist and was not catalogued by community trackers such as LOLDrivers, a volunteer effort to catalog vulnerable, malicious and known malicious Windows drivers. That blind spot allowed the group to exploit it without raising alerts.

The attackers deployed the driver through a custom loader that also contained a vulnerable driver for Zemana antrivirus software and a ValleyRAT downloader. Researchers said the loader runs checks for virtual machines and sandboxes before execution. If those checks pass, the loader installs the WatchDog driver and disables Windows protections such as protected process light, or PPL.