FlagThis

A large-scale malware campaign has been discovered exploiting a vulnerable Windows driver, truesight.sys, associated with Adlice's RogueKiller Antirootkit suite. Attackers are leveraging a loophole in Windows’ driver signing policy to bypass detection and deploy the HiddenGh0st RAT malware. Over 2,500 distinct variants of the truesight.sys driver have been identified, allowing attackers to evade EDR solutions and Microsoft’s Vulnerable Driver Blocklist.

This sophisticated campaign employs a multi-stage infection process, where initial-stage malware samples are disguised as legitimate applications and distributed via deceptive websites and messaging apps. These samples download the vulnerable truesight.sys driver alongside encrypted payloads, ultimately delivering advanced malware such as the Gh0st RAT. The campaign primarily targets victims in China, Singapore, and Taiwan, with infrastructure hosted on public cloud services within China.

ImgSrc: s3.talkback.sh

References :

• Cyber Security News: A sophisticated cyber campaign has been uncovered, leveraging a loophole in Windows’ driver signing policy to bypass detection and deploy malware.
• Talkback Resources: 2,500+ Truesight.sys Driver Variants Exploited to Bypass EDR and Deploy HiddenGh0st RAT [exp] [mal]
• The Hacker News: A large-scale malware campaign has been found leveraging a vulnerable Windows driver associated with Adlice's product suite to sidestep detection efforts and deliver the Gh0st RAT malware.

Classification:

• HashTags: #DriverExploitation #EDRBypass #HiddenGh0stRAT
• Company: Google
• Target: Windows Systems
• Attacker: Check Point
• Product: Windows
• Feature: EDR Bypass
• Malware: HiddenGh0st RAT
• Type: Malware
• Severity: High