Chasing the Silver Fox: Cat & Mouse in Kernel Shadows

SUMMARY :

Check Point Research uncovered an ongoing campaign by the Silver Fox APT group exploiting a previously unknown vulnerable driver to evade endpoint protection. The attackers used a Microsoft-signed WatchDog Antimalware driver to terminate protected processes on fully updated Windows systems. A dual-driver strategy ensured compatibility across Windows versions. Following disclosure, the vendor released a patched driver, but attackers quickly adapted by modifying it to bypass blocklists while preserving its valid signature. The campaign delivered ValleyRAT as the final payload, demonstrating sophisticated evasion techniques and highlighting the growing trend of weaponizing signed-but-vulnerable drivers to bypass security measures.

OPENCTI LABELS :

byovd,valleyrat,edr evasion,process termination,vulnerable driver,kernel exploitation,driver abuse,signature manipulation


AI COMMENTARY :

1. Introduction: Chasing the Silver Fox: Cat & Mouse in Kernel Shadows unravels the ongoing tussle between security defenders and the Silver Fox APT group. Check Point Research has illuminated a sophisticated campaign that weaponizes a previously unknown vulnerable driver, slipping past even fully updated Windows defenses. This report sheds light on byovd and how adversaries leverage EDR evasion, process termination, and kernel exploitation to undermine endpoint protection.

2. The Emergence of the Silver Fox APT: Silver Fox has leveraged stealth and signed driver abuse across multiple campaigns. The attackers demonstrated an uncanny ability to manipulate signature trust by exploiting a Microsoft-signed WatchDog Antimalware driver. This driver, originally intended to protect systems, became the very tool used to terminate protected processes and evade detection from leading endpoint agents.

3. Exploiting the WatchDog Antimalware Driver: Central to this campaign is the misuse of a vulnerable driver that operates at the kernel level. By employing byovd (bring your own vulnerable driver) tactics, Silver Fox managed to load the WatchDog component on fully patched Windows systems. Once loaded, WatchDog could issue commands to kill guarded processes, dismantling security measures without raising alarms. This process termination technique epitomizes advanced driver abuse and signature manipulation in real-world attacks.

4. The Dual-Driver Strategy: To maintain broad compatibility across Windows versions, Silver Fox adopted a dual-driver approach. One driver targeted legacy systems, while the other addressed modern Windows 10 and Server releases. This strategy ensured the campaign’s reach extended to environments with varied patch levels, maximizing the potential for successful kernel exploitation. It also highlights how attackers can tailor byovd methods to different operating system architectures.

5. Rapid Attacker Adaptation: Following coordinated disclosure efforts, the vulnerable driver’s vendor released a patch to thwart malicious use. Silver Fox rapidly adapted by reverse-engineering the update, modifying the patched driver to bypass known blocklists while retaining its valid signature. The group’s ability to reweaponize a vendor’s fix underscores the challenges of signature-based defenses and the persistent threat of signed-but-vulnerable drivers.

6. ValleyRAT Deployment: The campaign’s ultimate payload was ValleyRAT, a modular remote access Trojan designed for prolonged surveillance and data exfiltration. After achieving EDR evasion through kernel exploitation, Silver Fox operators deployed ValleyRAT to establish persistent footholds. The malware’s flexible architecture allowed attackers to execute commands, download additional tools, and exfiltrate sensitive information, revealing a polished delivery chain from initial driver abuse to full-blown espionage operations.

7. Implications for Future Security: Chasing the Silver Fox spotlights the growing trend of weaponizing signed drivers for malicious ends. Security teams must bolster their defenses against byovd and signature manipulation by incorporating behavioral monitoring, driver vetting, and memory-forensics techniques. Collaboration between vendors, researchers, and defenders is vital to identify vulnerable drivers before adversaries can exploit them. As the cat-and-mouse game in kernel shadows evolves, organizations must stay vigilant to counter these advanced process termination and EDR evasion tactics.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Chasing the Silver Fox: Cat & Mouse in Kernel Shadows