Threat actors have abused the vulnerable vsdatant.sys kernel-level driver within the Check Point ZoneAlarm antivirus version released in 2016 to exfiltrate account credentials as part of a Bring Your Own Vulnerable Driver attack, according to Hackread.
Malicious emails have been sent by attackers to spread a dropper that runs a script deploying the vulnerable driver, which enables Core Isolation disruption and process protection removal before facilitating user credential theft, a report from Venak Security showed.
High-level kernel privileges and a valid digital signature in vsdatant.sys allowed malicious code persistence while circumventing extended detection and response systems, said Venak Security researchers.
These findings were acknowledged by Check Point, which emphasized that the security issue has not been present in ZoneAlarm or Harmony Endpoint releases since 2017.
"For full protection, we recommend users ensure they are running the most recent version of Check Point ZoneAlarm or Check Point Harmony Endpoint, which includes enhanced safeguards against BYOVD-style attacks," said a Check Point spokesperson.
