Cyber Security News

Threat Actors Leverage Legacy Drivers to Circumvent TLS Certificate Validation

Threat actors have recently been exploiting legacy drivers to bypass certificate validation, leveraging a technique known as “Legacy Driver Exploitation.”

This method involves using vulnerable drivers to evade security measures and distribute malware, as highlighted in a recent security advisory.

The attack primarily utilizes the Gh0stRAT malware to remotely control infected systems and cause further damage.

The malware is distributed through phishing sites and messaging apps, with additional payloads loaded using the DLL side-loading technique.

Exploitation Techniques and Vulnerabilities

The key to this attack is the exploitation of a vulnerability in the TrueSight.sys driver, a component of the RogueKiller Antirootkit tool developed by Adlice Software.

Versions of TrueSight.sys 3.4.0 and below contain a flaw that allows arbitrary processes to be terminated, which threat actors exploit using the AVKiller tool.

TLS Certificate ValidationTLS Certificate Validation
Certificate verification screen using signtool.exe

Microsoft has added vulnerable versions of the TrueSight.sys driver to its Vulnerable Driver Blocklist, but older versions signed before July 29, 2015, are exempt.

Threat actors have exploited this loophole by tampering with the certificate area to create modified files resembling the TrueSight 2.0.2.0 version.

The attackers manipulate the padding area of the WIN_CERTIFICATE structure within the digital signature of the file.

Since Windows does not validate the padding area during certificate checks, the tampered file appears to have a valid signature, successfully bypassing certificate validation via WinVerifyTrust.

According to ASEC, this technique is related to the CVE-2013-3900 vulnerability, which allows certificate verification to be bypassed by modifying the authentication table and header information.

Microsoft’s Response and Recommendations

In response to these attacks, Microsoft updated its Vulnerable Driver Blocklist in December 2024 to block the modified TrueSight.sys driver and its variants.

This update is crucial for enhancing system security by blocking drivers that exploit known vulnerabilities.

Users can further strengthen certificate validation by applying specific registry settings, such as enabling the “EnableCertPaddingCheck” option.

This setting helps ensure stricter validation of certificates, although it was initially rolled back due to compatibility issues.

To protect against such threats, users should promptly apply the latest security updates and utilize robust security solutions.

Regular security checks and vulnerability analyses are also essential for identifying potential risks and responding effectively.

The detection capabilities of security tools like AhnLab V3 play a vital role in identifying and blocking maliciously modified drivers, such as the Trojan/Win.VulnDriver.R695153 variant of TrueSight.sys.

By staying vigilant and proactive, users and organizations can mitigate the risks associated with Legacy Driver Exploitation attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

29 minutes ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

42 minutes ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

2 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

3 hours ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

3 hours ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

4 hours ago