A big-scale marketing campaign is popping a trusted Home windows safety driver right into a weapon that shuts down safety instruments earlier than ransomware and distant entry malware are dropped.
The assaults abuse truesight.sys, a kernel driver from Adlice Software program’s RogueKiller antivirus, and use greater than 2,500 validly signed variants to quietly disable endpoint detection and response (EDR) and antivirus options throughout Home windows methods.
The risk first gained wider consideration when Verify Level researchers uncovered how attackers had been abusing legacy driver signing guidelines to load pre-2015 signed drivers on trendy Home windows 11 machines.
By doing so, they might run the weak TrueSight driver with full kernel privileges, although Microsoft’s personal safety controls had been meant to dam dangerous drivers. The result’s a dependable option to kill safety instruments earlier than any payload is delivered.
Quickly after this exercise surfaced, MagicSword analysts famous that the motive force abuse had already unfold throughout a number of risk teams and areas, with contemporary driver variants showing week after week.
Their telemetry confirmed that financially motivated actors and superior persistent risk (APT) teams had been all adopting the identical methodology to clear the best way for ransomware and distant entry trojans on compromised hosts.
On the heart of this operation is the aptitude to terminate virtually any safety course of on the system.
The weak TrueSight 2.0.2 driver exposes an IOCTL command that accepts attacker-controlled enter and may forcibly kill chosen processes, together with protected EDR brokers and antivirus engines.
As soon as the motive force is loaded, the malware now not has to battle user-mode tamper protections, as a result of it operates immediately within the Home windows kernel with the identical privileges as respectable safety software program.
The influence is important for defenders. With EDR brokers shut down on the kernel degree, telemetry stops, alerts by no means hearth, and ransomware or distant entry trojans can execute with virtually no resistance.
Victims typically solely discover the assault when recordsdata are already encrypted or knowledge has been quietly exfiltrated.
The size of the motive force variants and the excessive evasion fee towards conventional antivirus make this method particularly harmful for enterprises that depend on hash-based or signature-only defenses.
An infection Chain: From Phishing to Full Management
The an infection chain behind these assaults follows a staged strategy that makes use of widespread supply strategies however {couples} them with superior driver abuse.
Preliminary entry typically begins with phishing emails, pretend obtain websites, or compromised Telegram channels that lure customers into operating a disguised installer.
This primary-stage executable acts as a downloader and fetches further parts from attacker-controlled servers, usually hosted on cloud infrastructure.
Within the second stage, the malware units up persistence by scheduled duties and DLL side-loading, making certain it survives reboots and blends in with regular system exercise.
It then deploys an EDR killer module that’s closely obfuscated with VMProtect to hinder reverse engineering.
MagicSword researchers recognized that this module targets almost 200 totally different safety merchandise, starting from CrowdStrike and SentinelOne to Kaspersky, Symantec, and plenty of others, making the marketing campaign efficient throughout various enterprise environments.
When prepared, the module downloads the TrueSight driver if it’s not already current, installs it as a Home windows service (generally named TCLService), and sends the crafted IOCTL request to terminate operating safety processes.
With defenses gone, the ultimate payload—typically a HiddenGh0st distant entry trojan or a ransomware household—runs with virtually no visibility.
From the preliminary phishing click on to full system management, this sequence can full in as little as half-hour, leaving a really small window for detection and response.
Observe us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most well-liked Supply in Google.
