Legacy Driver Exploitation Through Bypassing Certificate Verification
March 18, 2025, 3:28 p.m.
Description
A new security threat using the Legacy Driver Exploitation technique has been identified, focusing on remote system control via Gh0stRAT malware. The attack distributes malware through phishing and messaging apps, utilizing DLL side-loading for additional payloads. A modified TrueSight.sys driver bypasses Microsoft's driver blocking system, terminating security processes. The key vulnerability lies in TrueSight.sys versions 3.4.0 and below, exploited by the AVKiller tool. The attacker manipulated the WIN_CERTIFICATE structure's padding area to bypass certificate validation. Microsoft responded by updating the Vulnerable Driver Blocklist. This technique is related to the CVE-2013-3900 vulnerability, highlighting the importance of strengthening certificate validation.
Tags
Date
- Created: March 18, 2025, 1:33 p.m.
- Published: March 18, 2025, 1:33 p.m.
- Modified: March 18, 2025, 3:28 p.m.
Indicators
- c7d93ea1f42314ccfd60ecacdd7d006a1b6f0db13431bf0484ab1aef67aa2408
- 9a5c065d6e28c1e2d58765df1753e0dbbd0d8270ee2eb777dfd33d76bf200b57
- 8b07bcd21d3ba2fd82754f945d85357c23ae24bedad4f8720eeb1340527a28b6