The ValleyRAT BYOVD Hack: How Fake Installers Are Silently Disabling Your Security

Listen to this Post

Featured Image

Introduction:

A new wave of attacks is demonstrating that sophisticated threat actors no longer need to break down digital walls; they simply walk through the front door using stolen or forged credentials. The ValleyRAT campaign exemplifies this trend by weaponizing a Bring Your Own Vulnerable Driver (BYOVD) technique, using fake software installers to deploy a signed—but malicious—driver that disables endpoint security tools, paving the way for a complete system compromise.

Learning Objectives:

  • Understand the mechanics of the Bring Your Own Vulnerable Driver (BYOVD) attack vector.
  • Learn to identify and investigate malicious driver loads and service installations on Windows systems.
  • Implement proactive detection and prevention strategies to mitigate BYOVD and living-off-the-land techniques.

You Should Know:

1. Detecting Malicious Driver Loads with PowerShell

The core of the BYOVD attack involves loading a malicious kernel driver. PowerShell can be used to audit driver loads, which is critical for detection.

`Get-WinEvent -FilterHashtable @{LogName=’System’; ProviderName=’Microsoft-Windows-Kernel-General’; ID=6} | Where-Object {$_.Properties[bash].Value -like “temp”} | Format-List -Property TimeCreated, Message`

Step-by-step guide: This command queries the System event log for Event ID 6, which indicates a driver has been loaded. The `Where-Object` clause filters for drivers loading from the `%TEMP%` directory, a strong indicator of malicious activity as legitimate drivers do not load from user temp folders. Regularly monitoring these events can provide early warning of a BYOVD attempt.

2. Investigating Services with sc.exe

Attackers often use the Service Control manager to install and start their malicious driver as a service.

`sc query type= driver state= all | findstr /i “temp”`

Step-by-step guide: The `sc query` command lists all drivers registered as services. Piping the output to `findstr` to search for the string “temp” (case-insensitive) can quickly reveal suspicious services that have been installed from a user’s temporary directory, a common tactic in this attack.

3. Auditing Image Loads with Sysmon

System Monitor (Sysmon) is an invaluable tool for deep visibility. Event ID 6 (Driver loaded) and 7 (Image loaded) are crucial.

``

``

``

`Microsoft Windows`

`Microsoft Windows Publisher`

``

``

Step-by-step guide: This Sysmon configuration rule will log every driver load that has a signature containing “Microsoft Windows” but is NOT signed by the “Microsoft Windows Publisher”. This helps catch drivers signed with stolen or abused certificates, a hallmark of advanced attacks like ValleyRAT.

4. Hunting for Anomalous Service Creation

Persistence via service installation is key. This PowerShell command hunts for recently created services.

`Get-CimInstance -ClassName Win32_Service | Where-Object { $_.PathName -like “temp” -or $_.PathName -like “.tmp” } | Select-Object Name, DisplayName, State, PathName, StartMode, Status`

Step-by-step guide: This CIM query retrieves all services and filters for those whose executable path (PathName) contains “temp” or “.tmp”. Any results should be investigated immediately, as this is highly anomalous behavior for a legitimate system service.

5. Validating Driver Signatures with signtool

Verifying the authenticity of a driver’s digital signature can reveal tampering or certificate abuse.

`signtool verify /v /pa C:\path\to\suspect\driver.sys`

Step-by-step guide: The `signtool` utility, part of the Windows SDK, verifies the digital signature of a file. The `/v` flag enables verbose output, and `/pa` specifies the default authentication verification policy. A result showing “Signing Certificate Chain” from an untrusted or unexpected publisher is a major red flag.

6. Blocking Driver Loads from User Writeable Directories

AppLocker or Windows Defender Application Control (WDAC) can be configured to prevent drivers from loading from unauthorized locations like %TEMP%.

``

``

``

``

``

``

``

Step-by-step guide: This WDAC rule explicitly denies the loading of any driver (.sys file) from the system’s temporary directory for all users (S-1-1-0). Deploying such a policy is a proactive measure that would have completely blocked the ValleyRAT BYOVD technique.

7. Memory Analysis with Volatility for EDR Tampering

If an EDR agent suddenly stops, memory forensics can determine if its kernel components were tampered with.

`volatility -f memory.dump –profile=Win10x64_19041 driverscan | grep -i -E “(edr|sentinel|crowdstrike|carbonblack|cybereason)”`

Step-by-step guide: After acquiring a memory image, use Volatility’s `driverscan` command to enumerate loaded kernel drivers. Grepping for common EDR driver names can help identify if they are present or were recently unloaded due to malicious activity, a potential aftermath of a successful BYOVD attack.

What Undercode Say:

  • The BYOVD technique represents a critical escalation in the attacker’s arsenal, moving from exploitation of software vulnerabilities to exploitation of trust in the software supply chain and digital certificates.
  • Defensive strategy must pivot from pure prevention to assume-breach detection, focusing on anomalous behavior like drivers loading from user directories and services executing from temporary folders.
  • Analysis: The ValleyRAT campaign is not an anomaly but a signpost for the future of cyber attacks. The barrier to entry for BYOVD is lowering, with malware-as-a-service offerings likely to incorporate these techniques. The incident underscores a painful truth: the Windows kernel signing process, a cornerstone of system integrity, is under direct assault through certificate theft and abuse. Defenders can no longer trust a file solely based on its digital signature. The battleground has shifted to behavioral analysis and strict policy enforcement, requiring deeper system visibility and a zero-trust approach even at the kernel level. This evolution demands that blue teams master forensic tools and logging to detect these living-off-the-land techniques that leave minimal traces.

Prediction:

The success of the ValleyRAT BYOVD attack will catalyze a wave of imitators, making this technique a standard feature in ransomware and data extortion campaigns throughout 2024 and beyond. We predict a rise in “driver hijacking,” where attackers will not just bring their own vulnerable drivers but will also exploit legitimate, pre-installed vulnerable drivers already present on target systems (a subset of BYOVD), further obscuring their activity. This will force a major industry response, including potentially Microsoft mandating stricter code signing requirements (like Hypervisor-Protected Code Integrity (HVCI) adoption) and EDR vendors developing deeper, hardware-isolated introspection capabilities to protect their own agents from termination.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mauricefielenbach Valleyrat – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky