Silver Fox Leverages Microsoft-Signed WatchDog Driver to Distribute ValleyRAT Malware

ByAdmin

The threat actor known as Silver Fox has exploited a previously unknown vulnerable driver associated with WatchDog Anti-malware in a Bring Your Own Vulnerable Driver (BYOVD) attack. This attack aims to disable security solutions on compromised hosts. The vulnerable driver, “amsdk.sys” (version 1.0.600), is a 64-bit, validly signed Windows kernel device driver built on the Zemana Anti-Malware SDK. According to Check Point’s analysis, this driver was Microsoft-signed, not listed in the Microsoft Vulnerable Driver Blocklist, and went undetected by community projects like LOLDrivers. The attack employs a dual-driver strategy, using a known vulnerable Zemana driver (“zam.exe”) for Windows 7 machines and the undetected WatchDog driver for Windows 10 or 11 systems. The WatchDog Anti-malware driver contains multiple vulnerabilities, including the ability to terminate arbitrary processes without verifying their protection status and susceptibility to local privilege escalation.

The primary objective of this campaign, first identified by Check Point in late May 2025, is to leverage these vulnerable drivers to neutralise endpoint protection products. This creates a clear pathway for malware deployment and persistence without triggering signature-based defences. The campaign is designed to deliver ValleyRAT (also known as Winos 4.0) as the final payload, providing remote access and control capabilities to the threat actor. The attacks utilise an all-in-one loader that encapsulates anti-analysis features, two embedded drivers, antivirus killer logic, and the ValleyRAT DLL downloader in a single binary. Upon execution, the sample conducts various anti-analysis checks, such as detecting virtual environments and sandboxes. If any checks fail, execution is aborted, and a fake system error message is displayed. Following responsible disclosure, WatchDog released a patch (version 1.1.100) to address the local privilege escalation risk. However, this patch did not resolve the arbitrary process termination issue, prompting attackers to adapt by altering a single byte in the driver. This modification preserved the driver’s valid Microsoft signature while generating a new file hash, effectively bypassing hash-based blocklists. 

Categories: Cybersecurity Threats, Vulnerable Drivers, Malware Deployment Strategies 

Tags: Silver Fox, Vulnerable Driver, WatchDog Anti-malware, BYOVD Attack, amsdk.sys, Zemana Anti-Malware, Local Privilege Escalation, ValleyRAT, Command-and-Control, Discretionary Access Control List 

Leave a Reply

Your email address will not be published. Required fields are marked *