Attackers can exploit Windows drivers to bypass security by exploiting vulnerabilities or using stolen signatures to load malicious drivers into the kernel, disabling protections. While Microsoft enforces driver signature rules, attackers still find ways to bypass these safeguards.
EDR Killer Malware
Poortry and Stonestop, active threats since 2022, have been used by ransomware groups to bypass security measures. These malicious kernel drivers, often hidden with packers like VMProtect or Themida, exploit techniques like driver signature enforcement bypass to gain unauthorized access.
Despite Microsoft’s efforts to revoke abused certificates, attackers have adapted by using forged or leaked signatures.
Poortry’s creators have shown remarkable adaptability, regularly modifying the driver and changing signing certificates to avoid detection, highlighting the need for robust security measures against advanced persistent threats.
Sophos discovered attackers using Poortry, a malicious tool, with multiple digital certificates to bypass security measures. In one attack, the threat actors deployed several Poortry variants with different certificates (“bopsoft” and “Evangel Technology”) within 30 seconds, likely to evade signature-based detection. This tactic, known as “certificate roulette,” underscores the attackers’ efforts to establish persistence and deploy additional tools like Stonestop for further malicious activities.
Poortry and Stonestop, a sophisticated EDR wiper, work together in a multi-phased approach to disable security defenses. The loader, Stonestop, checks for the Poortry driver in the same directory and initiates a handshake via DeviceIoControl. Poortry then disables EDR products by altering kernel notify routines and patching callback functions linked to security drivers.
It also detaches certain device objects from the system’s device stack, disabling installed filters and weakening EDR capabilities, which enables further malicious activities.
The EDR killer first targets security processes by sending IOCTL requests to its kernel-mode component. Next, it uses a list of hardcoded paths to find and delete critical EDR files, like EXE and DLL files, through another IOCTL request.
The user-mode component operates in two modes: deleting files by type or by name, allowing flexibility in targeting different EDR products. The hardcoded paths and operation modes likely vary based on the specific target.
Poortry, initially designed to unhook endpoint protection components, has evolved significantly. It now uses stolen code-signing certificates to bypass Driver Signature Verification, gaining rootkit-like control over OS functions. It can also wipe security software from the disk, paving the way for ransomware deployments, showcasing its increased sophistication and potential for severe damage.
Leave A Comment