Silver Fox Exploits Signed Driver in BYOVD Attack to Deploy ValleyRAT

The cybercriminal group Silver Fox has exploited a vulnerable driver associated with WatchDog Anti-malware in a Bring Your Own Vulnerable Driver (BYOVD) attack. The driver, "amsdk.sys" (version 1.0.600), is a validly signed 64-bit Windows device driver. This attack allows the deployment of the ValleyRAT malware by disabling security solutions on compromised hosts. The exploitation of a signed driver is significant as it bypasses many security checks due to its trusted status, potentially granting attackers kernel-level access. This incident underscores the need for rigorous driver integrity checks and robust endpoint security measures. Organizations should implement continuous monitoring and detection mechanisms to identify and respond to such attacks promptly. Additionally, adhering to the principle of least privilege and maintaining regular patch management can help mitigate the impact of such vulnerabilities. The use of BYOVD techniques highlights the evolving tactics of cybercriminals to evade detection and maintain persistence on compromised systems.