Cybercriminals Exploit 2,500+ Security Tools to Disable Protections and Deploy Ransomware
In a sophisticated and large-scale cyberattack campaign, malicious actors have repurposed over 2,500 legitimate security tools to disable endpoint protection mechanisms, paving the way for the deployment of ransomware and remote access malware. Central to this operation is the exploitation of ‘truesight.sys,’ a kernel driver from Adlice Software’s RogueKiller antivirus suite. By leveraging this driver, attackers can effectively terminate endpoint detection and response (EDR) systems and antivirus solutions across Windows platforms.
Exploitation of Legacy Driver Signing Rules
The campaign gained prominence when Check Point researchers uncovered that attackers were manipulating outdated driver signing protocols to load pre-2015 signed drivers onto contemporary Windows 11 systems. This manipulation allows the vulnerable TrueSight driver to operate with full kernel privileges, circumventing Microsoft’s security measures designed to block such risky drivers. Consequently, attackers can disable security tools before deploying malicious payloads.
Rapid Adoption by Diverse Threat Actors
Following the initial discovery, analysts from MagicSword observed a swift proliferation of this technique among various threat groups worldwide. Both financially motivated cybercriminals and advanced persistent threat (APT) groups have adopted this method to facilitate the deployment of ransomware and remote access trojans on compromised systems.
Mechanism of Security Process Termination
At the heart of this attack is the ability to terminate nearly any security process on a targeted system. The TrueSight 2.0.2 driver exposes an Input/Output Control (IOCTL) command that accepts attacker-defined inputs, enabling the forcible termination of selected processes, including protected EDR agents and antivirus engines. Once the driver is loaded, the malware operates directly within the Windows kernel, bypassing user-mode tamper protections and achieving the same privilege level as legitimate security software.
Significant Implications for Cyber Defense
The ramifications for cybersecurity defenses are profound. With EDR agents disabled at the kernel level, telemetry data ceases, alerts are not triggered, and ransomware or remote access trojans can execute with minimal resistance. Victims often become aware of the attack only after files have been encrypted or sensitive data has been exfiltrated. The extensive variety of driver variants and their high evasion rate against traditional antivirus solutions render this technique particularly perilous for organizations relying solely on hash-based or signature-only defenses.
Detailed Infection Chain: From Initial Access to Full Compromise
The attack sequence follows a multi-stage approach that combines common delivery methods with advanced driver exploitation:
1. Initial Access: Attackers employ phishing emails, counterfeit download sites, or compromised Telegram channels to deceive users into executing a disguised installer.
2. Establishing Persistence: The initial executable acts as a downloader, retrieving additional components from attacker-controlled servers, often hosted on cloud infrastructure. The malware then sets up persistence through scheduled tasks and DLL side-loading, ensuring it survives system reboots and blends with normal system activities.
3. Deployment of EDR Killer Module: A heavily obfuscated EDR killer module, protected with VMProtect to hinder reverse engineering, is deployed. This module targets nearly 200 different security products, including those from CrowdStrike, SentinelOne, Kaspersky, and Symantec, making the campaign effective across diverse enterprise environments.
4. Driver Installation and Security Process Termination: The module downloads the TrueSight driver if it is not already present, installs it as a Windows service (commonly named TCLService), and sends crafted IOCTL requests to terminate running security processes.
5. Payload Execution: With defenses neutralized, the final payload—often a HiddenGh0st remote access trojan or a ransomware variant—executes with minimal visibility. The entire sequence, from initial phishing to full system control, can be completed in as little as 30 minutes, leaving a narrow window for detection and response.
Recommendations for Mitigation
To defend against such sophisticated attacks, organizations should consider implementing the following measures:
– Regularly Update Security Software: Ensure that all security tools and drivers are up-to-date to mitigate vulnerabilities exploited by attackers.
– Implement Advanced Threat Detection: Utilize behavior-based detection systems that can identify anomalous activities indicative of such attacks.
– Enhance User Awareness: Conduct regular training sessions to educate employees about phishing tactics and the importance of verifying the authenticity of download sources.
– Restrict Driver Installation: Implement policies that prevent the installation of unsigned or outdated drivers, reducing the risk of driver exploitation.
– Monitor System Activities: Continuously monitor system logs and activities for signs of unauthorized driver installations or unexpected termination of security processes.
By adopting a comprehensive and proactive cybersecurity strategy, organizations can better protect themselves against the evolving tactics employed by cybercriminals in this campaign.
