Legacy Driver Exploitation Through Bypassing Certificate Verification
1. Overview
In June 2024, the security company CheckPoint-Research (CPR) published a post on a security threat that used the Legacy Driver Exploitation technique. This attack mostly focused on remotely controlling infected systems using the Gh0stRAT malware and causing additional damage.
The threat actor distributed malware using a phishing site and messaging apps, and loaded additional payloads using the DLL side-loading technique. They used a modified TrueSight.sys driver to bypass Microsoft’s driver blocking system, and forcibly terminated security processes such as antivirus and endpoint detection and response (EDR) systems to neutralize security defenses.
This attack introduces a new type of threat using the “Legacy Driver Exploitation” technique.
2. Attack Techniques
The key of this attack is exploiting the vulnerability of the TrueSight.sys driver.
The file is a driver module for the malware removal tool RogueKiller Antirootkit developed by Adlice Software, which provides rootkit detection and removal features. However, versions of TrueSight.sys 3.4.0 and below contain a vulnerability that allows arbitrary processes to be terminated. Threat actors exploited this vulnerability by using the AVKiller tool.
Microsoft has added all versions of the TrueSight.sys driver with the vulnerability to the Microsoft Vulnerable Driver Blocklist, but the TrueSight version 2.0.2.0 was signed before July 29th, 2015, so it was exempt from the blocklist. The threat actor took advantage of this and used the certificate area tampering technique to create multiple files with the TrueSight 2.0.2.0 version.
3. SSL Certificate Bypassing Technique
The modified file of TrueSight.sys uses a method of arbitrarily modifying the padding area of the WIN_CERTIFICATE structure.
The WIN_CERTIFICATE structure included in the digital signature of the file plays an important role in guaranteeing that the file has not been tampered with. However, the threat actor took advantage of the fact that Windows does not use the padding area within the structure during certificate validation. As a result, the file appeared to be signed correctly even though it had been tampered with.
This led to the tampered file being recognized as having a valid signature, successfully bypassing the certificate validation via WinVerifyTrust.
(1) Position of WIN_CERTIFICATE
- The location is referenced through the PE file certificate table (security directory).
Figure 1. Certificate table information including the certificate details
(2) Padding Manipulation of the WIN_CERTIFICATE Area
- The padding kept unchanged to ensure that the signature verification is not affected.
Figure 2. Padding area of the WIN_CERTIFICATE area
(3) Bypassing Certificate Verification
- The file hash has changed, but the signature certificate can be seen as valid.
Figure 3. Certificate verification screen using signtool.exe
4. Microsoft’s Response
In response to this attack, Microsoft updated the Microsoft Vulnerable Driver Blocklist on December 17, 2024 to block the modified TrueSight.sys driver and its variants. This update is an important measure for Microsoft to block drivers exploiting known vulnerabilities and enhance system security.
5. Associated Vulnerability
This attack technique is closely related to the CVE-2013-3900 vulnerability. This vulnerability can be exploited by changing the size of the authentication table and modifying the header information to bypass certificate verification. This allows threat actors to bypass certificate verification and add malicious data to the end of a file.
In December 2013, Microsoft released an update through the MS13-098 security bulletin to enforce strict certificate validation. However, due to compatibility issues with certain applications and systems, the update was rolled back in July 2014.
Afterward, Microsoft left it up to the users to decide whether to use the security option that strictly validates certificates. Users can enhance certificate validation by applying the following registry key setting.
|
32bit [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] “EnableCertPaddingCheck”=”1 |
|
64bit [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] “EnableCertPaddingCheck”=”1 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] “EnableCertPaddingCheck”=”1 |
Microsoft has announced that they are continuing their efforts to enhance security. This attack once again highlighted the importance of strengthening certificate validation.
6. V3 Detection
AhnLab V3 has detected the maliciously modified TrueSight.sys version 2.0.2.0 as Trojan/Win.VulnDriver.R695153 (2025.03.14.03). The detection feature of V3 plays a crucial role in enhancing system security. Users can utilize this feature to check their security status in real-time and block malware.
7. Conclusion
This attack employed the Legacy Driver Exploitation technique to disable system security and distribute malware, showcasing a new type of security threat. The threat actor exploited vulnerable drivers and bypassed Microsoft’s driver blocking system to infiltrate the system.
Microsoft is blocking such attacks through the Vulnerable Driver Blocklist. Users must promptly apply the latest security updates and actively use security solutions to protect themselves from such attacks. Additionally, businesses and organizations need to conduct regular security checks and vulnerability analyses to identify potential risks in advance and respond to them.
Legacy Driver Exploitation attacks directly target the core of system security, so thorough responses are required.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
