【震惊！Symantec居然知道Silver Fox】前天的Symantec发布公告阐述Silver Fox威胁

驭龙

讲真的，我是万万没想到Symantec还会关注国内流行的威胁啊，而且还有持续关注，甚至是知道被称呼为“银狐”威胁，更可怕的是SONAR和IPS都入库特征了，岂不是防御银狐无敌了？就算做免杀可以绕过特征引擎，IPS的流量特征是很难被绕过的，不行，我去卸载诺顿V25.8了，搬出我的SESC 16压压惊

Silver Fox Abuses Legit Drivers to Deploy RAT
Researchers at Check Point observed a Silver Fox campaign where they exploited a Microsoft-signed vulnerable driver (amsdk.sys) in an attempt to silently disable EDR and antivirus protections on Windows 10 and 11. This tactic clears the path for the delivery of ValleyRAT, a Gh0st RAT–derived backdoor that grants full remote access, surveillance, and persistence inside compromised environments.

Silver Fox is a long-running Chinese-speaking threat actor whose activity has been tracked primarily in Asia and adjacent regions, though their campaigns have also extended globally across certain sectors.

Symantec protects you from this threat, identified by the following:

Adaptive-based

ACM.Ps-Rd32!g1
ACM.Rd32-CPE!g1
Behavior-based

SONAR.SuspDriver!g30
SONAR.SuspLaunch!g266
Carbon Black-based

Associated malicious indicators are blocked and detected by existing policies within Carbon Black products. The recommended policy at a minimum is to block all types of malware from executing (Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from Carbon Black Cloud reputation service.
File-based

Trojan.Gen.MBT
Machine Learning-based

Heur.AdvML.B
Network-based

System Infected: Trojan.Backdoor Activity 568

辔繇

中式英语越来越普遍，咱妈的影响力越来越大了

驭龙

辔繇 发表于 2025-9-1 00:25
中式英语越来越普遍，咱妈的影响力越来越大了

我也是没想到赛门铁克会关注银狐啊，难以置信的事情

不过有IPS的特征，基本上企业SESC就可以解决银狐威胁了，牛X了。

是啊，期待以后有更大的影响力

King、暮光

Norton的mac版本IPS用的是gen家的还是铁壳的啊虽然mac上应该没有银狐，但是铁壳关注国内流行样本还是挺意外的

lzxzyhy

驭大，SESC 16有下载地址吗？

GreatMOLA

https://research.checkpoint.com/ ... vulnerable-drivers/

wohaofan1200

赛门铁克在国内应该还有一些的企业级客户的

驭龙

King、暮光 发表于 2025-9-1 10:47
Norton的mac版本IPS用的是gen家的还是铁壳的啊虽然mac上应该没有银狐，但是铁壳关注国内流行样本还是 ...

现在诺顿跟Symantec已经没关系了，而且Mac上要不要用安全软件都有不同看法，个人认为不需要用安全软件

驭龙

lzxzyhy 发表于 2025-9-1 14:56
驭大，SESC 16有下载地址吗？

没有自管客户端，无法分享该软件

kuroo

为什么不需要用安全软件
前两年才捣毁过九百万麦金塔肉鸡僵尸网络