Silver Fox Exploits Signed Drivers to Deploy ValleyRAT Backdoor

A newly detected cyber campaign is exploiting trusted but vulnerable Windows drivers to bypass security protections and install a remote access tool.

Although signed by Microsoft and not previously listed as vulnerable, the driver was abused to terminate processes linked to antivirus and EDR tools, clearing the way for the deployment of ValleyRAT – a modular backdoor capable of surveillance, command execution and data exfiltration.

One technique involved modifying a patched WatchDog driver (wamsdk.sys, version 1.1.100) by changing a single byte in its timestamp field. Because Microsoft’s digital signature does not cover this field, the driver signature remained valid yet appeared as a new file with a different hash.

To read the complete article see: Silver Fox Deploys ValleyRAT

:-)