Silver Fox Exploits Microsoft-Signed Driver to Distribute ValleyRAT

Description

 

Silver Fox is running a campaign that uses the Bring Your Own Vulnerable Driver (BYOVD) technique—leveraging legitimate but vulnerable drivers to bypass security protections—by abusing a Microsoft-signed driver, amsdk.sys (version 1.0.600), to distribute the ValleyRAT trojan. Because the driver is legitimate, Microsoft’s driver blocklist does not flag it; consequently, this module could be loaded without being intercepted by security solutions, enabling the disabling of antivirus and other system defenses.

 

Technical Details

 

Threat actors are using legitimate vulnerable drivers that contain multiple flaws allowing arbitrary process termination without checking whether processes are running with protection (PP/PPL) or verifying local privilege escalation, which lets them gain unrestricted access to the driver’s device.

 

The attack relies on the coordination of Zemana Anti-Malware SDK drivers (zam.exe) for Windows 7 and WatchDog Anti-Malware on Windows 10 and 11, which provide remote access and control to the attacker, together with amsdk.sys (based on the Zemana SDK) used to install ValleyRAT (also known as Winos 4.0). Once installed, the malware performs checks for virtualized environments, sandbox execution, hypervisor presence, and other detection tests; if any of these checks fail, execution is aborted and a fake system error message is shown. The dropper is designed to communicate with a command-and-control (C2) server and deploy a modular ValleyRAT backdoor.

 

After these attacks, WatchDog released a security patch to address the LPE risk by applying a Discretionary Access Control List (DACL), but it did not fix the issue of arbitrary process termination without verification. This allowed attackers to adapt by incorporating a modified version that changes a single byte without invalidating Microsoft’s signature, effectively evading hash-based blocklists.

 

Recommendations

 

Protection

 

• Use analysis tools (Antivirus, EDR, etc.) that can detect suspicious behavior.
• Maintain an up-to-date inventory of all assets.
• Keep systems updated with the latest security patches, both for the operating system and all installed software.
• Do not download illegal or unauthorized software, as it may contain malware.
• Restrict the use of P2P networks.
• Avoid using the “Administrator” account for general system or software use.
• Be cautious when browsing the Internet and avoid downloading files from suspicious sources or those offering fake security solutions.
• Use JavaScript blockers in browsers to prevent the execution of scripts that could harm your system.
• Show file extensions for known file types to identify possible executable files masquerading as other file types.
• Apply patches provided by the software vendor.

 

Detection

 

• Have an EDR with proactive detection capabilities and keep it always up to date.

 

Mitigation

 

• Isolate compromised machines to prevent the malware from spreading across the network.
• The vendor has not provided any mitigation measures for these vulnerabilities.

 

References

 

https://thehackernews.com/2025/09/silver-fox-exploits-microsoft-signed.html