Check Point Research has uncovered a sophisticated campaign by the Silver Fox APT group leveraging a Microsoft-signed but vulnerable driver, WatchDog Antimalware (amsdk.sys v1.0.600), to disable Windows security features.
The flaw allows the attackers to install ValleyRAT malware on both Windows 10 and 11 systems, circumventing standard protections. Previously unknown to Microsoft’s Vulnerable Driver Blocklist or community tools like LOLDrivers, the WatchDog driver provided a trusted vector for the malicious payload.
Final Call: Be DPDP Act Ready with FCRF’s Certified Data Protection Officer Program
Multi-Stage Loader Targets Security Processes
Silver Fox paired the WatchDog driver with an older, risky Zemana driver to ensure compatibility across modern and legacy systems. Their self-contained loader package includes anti-analysis checks, embedded drivers, process termination logic, and a ValleyRAT downloader. Once deployed, the malware installs persistently and terminates nearly 200 processes, primarily targeting antivirus programs prevalent in Asia, making infected systems effectively defenseless.
Bypassing Microsoft’s Patch and Security Measures
Even after WatchDog released a patched version, attackers modified the driver by altering a single byte in the unauthenticated timestamp of its Authenticode signature. This small tweak changed the file hash, allowing the driver to bypass hash-based blocklists while retaining its valid Microsoft signature, leaving Windows trusting the driver.
Global Implications and Expert Warnings
ValleyRAT, also known as Winos, is a modular backdoor capable of spying and executing remote commands. Command-and-control servers were traced to China, highlighting Silver Fox’s operational infrastructure. Check Point’s analysis revealed multiple vulnerabilities in the driver, including arbitrary process termination, local privilege escalation, and raw disk access, stemming from insufficient access controls.
Experts warn this campaign underscores the dangers of trusting signed drivers blindly. Microsoft’s blocklist updates infrequently, creating exploitable windows that sophisticated attackers like Silver Fox can weaponize to compromise systems globally.