Legacy Driver Exploitation Through Bypassing Certificate Verification

SUMMARY :

A new security threat using the Legacy Driver Exploitation technique has been identified, focusing on remote system control via Gh0stRAT malware. The attack distributes malware through phishing and messaging apps, utilizing DLL side-loading for additional payloads. A modified TrueSight.sys driver bypasses Microsoft's driver blocking system, terminating security processes. The key vulnerability lies in TrueSight.sys versions 3.4.0 and below, exploited by the AVKiller tool. The attacker manipulated the WIN_CERTIFICATE structure's padding area to bypass certificate validation. Microsoft responded by updating the Vulnerable Driver Blocklist. This technique is related to the CVE-2013-3900 vulnerability, highlighting the importance of strengthening certificate validation.

OPENCTI LABELS :

gh0strat,dll side-loading,avkiller,padding manipulation,legacy driver exploitation,cve-2013-3900,certificate verification,driver vulnerability,truesight.sys


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Legacy Driver Exploitation Through Bypassing Certificate Verification