Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware

[Victor M]

Content source

https://thehackernews.com/2025/09/silver-fox-exploits-microsoft-signed.html

Sep 02, 2025Ravie LakshmananFinancial Fraud / Endpoint Protection

The threat actor known as Silver Fox has been attributed to abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disarming security solutions installed on compromised hosts.
The vulnerable driver in question is "amsdk.sys" (version 1.0.600), a 64-bit, validly signed Windows kernel device driver that's assessed to be built upon Zemana Anti-Malware SDK.

.....

Following responsible disclosure, Watchdog has released a patch (version 1.1.100) to address the LPE risk by enforcing a strong Discretionary Access Control List (DACL), while not plugging the arbitrary process termination issue. This, in turn, has had the side effect of causing the attackers to swiftly adapt and incorporate the modified version by altering just a single byte without invalidating Microsoft's signature.

 

[stonjean633]

Another Watchdog driver vulnerability discovered after the last one was patched exactly 60 days ago. Maybe time for me to uninstall this on my test machine.

 

[stonjean633]

Anti-Virus Release Notes - WATCHDOG

Watchdog Anti-Virus Release Notes

watchdog.com

 

[oldschool]

It figures it's Watchdog/Zemana. Abandonware turned malware.

Remember the days when Zemana was a widely-acclaimed and widely used scanner?

 

[stonjean633]

It figures it's Watchdog/Zemana. Abandonware turned malware.

Remember the days when Zemana was a widely-acclaimed and widely used scanner?

Ya, Zemana is dead even thou their website is still up at present.

 

[Victor M]

Maybe time for me to uninstall this on my test machine.

Uninstalling won't help, the attackers are bringing their own modified copy of it which is still validly signed.

 

[stonjean633]

The driver in this article is 1.0.600 and I now got the patched 1.1.100. The issue with the latest version is the possibility of abuse. The malicious/modified driver can be integrated in the installer while still retaining the MS Digital Signature with a new hash.

Unless I'm missing something, the risk here is for users who downloaded and will install Watchdog thru non official channels as those can contain the signed but modified malicious SYS driver. That can only happen if the default MS Defender or other 3rd party AV don't catch up with the detection.

 

[Victor M]

I am sure MS will do the right thing. But, look at TDSS killer driver, it is a known EDR bypass, and MS Defender doesn't block it - I was able to install it. Even Kaspersky does not advertise it anymore.

 

[ForgottenSeer 114717]

It figures it's Watchdog/Zemana. Abandonware turned malware.

And yet, Watchdog/Zemana gets virtually no criticism here because there's nobody that is a fanboix/fangirl, perceived as promoting it.

People think Comodo is bad. The driver vulnerabilities have been happening since before 2016.