Pootry EDR Killer Malware Wipes Out Security Tools From Windows Machine


Windows drivers can be abused to bypass security measures. Attackers can exploit vulnerabilities in legitimate drivers or use stolen or forged digital signatures to load malicious drivers into the operating system’s kernel.

These drivers can then interfere with security software, disabling protections and allowing attackers to gain unauthorized access.

To mitigate these risks, Microsoft has implemented measures like driver signature enforcement and attestation signing, but attackers continue to find ways to circumvent these safeguards.

One of the WHQL-signed drivers from the attacks in 2022-2023

Poortry and Stonestop, a persistent threat since 2022, have been employed by various ransomware groups to bypass security measures.

The malicious kernel driver, often obfuscated with packers like VMProtect or Themida, leverages techniques like driver signature enforcement bypass to gain unauthorized access. 

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

Despite Microsoft’s efforts to revoke abused certificates, the attackers have adapted by using forged signatures or leaked certificates. 

Poortry’s creators have demonstrated high adaptability, frequently modifying the driver and switching signing certificates to evade detection, underscoring the importance of robust security measures to combat advanced persistent threats.

Pootry EDR Killer Malware Wipes Out Security Tools From Windows Machine
 timeline of the observed signer names used by Poortry’s payload driver over a 15-month period.

Sophos identified attackers deploying Poortry, a malicious tool, with various digital certificates to bypass security measures.

In a single attack, the threat actors used multiple Poortry variants with different certificates (“bopsoft” and “Evangel Technology”) within 30 seconds, likely to evade signature-based detection.  

This tactic, called “certificate roulette,” highlights the attackers’ attempt to establish persistence and deploy additional tools like Stonestop for further malicious activity. 

Poortry and Stonestop, a sophisticated EDR wiper, employ a multi-phased approach to disable security defenses, where the loader, Stonestop, checks for the driver, Poortry, in the same directory and initiates a handshake via DeviceIoControl. 

Poortry then disables EDR products by modifying kernel notify routines and patching callback functions associated with security drivers. 

Pootry EDR Killer Malware Wipes Out Security Tools From Windows Machine
Comparison before and after prologue patching

It also detaches specific device objects from the system’s device stack to render installed filters useless, which allows the wiper to effectively impair EDR capabilities, paving the way for subsequent malicious activities.

The EDR killer first targets security-related processes by sending IOCTL requests to its kernel-mode component.

Then, it uses a list of hardcoded paths to locate and delete critical EDR files, such as EXE or DLL files, by sending another IOCTL request. 

Pootry EDR Killer Malware Wipes Out Security Tools From Windows Machine
Implementation of deleting files by type

The user-mode component can operate in two modes: deleting files by type or by name, likely for flexibility in targeting different EDR products. The hardcoded paths and operation modes likely vary depending on the specific target.

Poortry, initially a tool for unhooking endpoint protection components, has significantly evolved. It now abuses stolen code-signing certificates to bypass Driver Signature Verification, providing rootkit-like capabilities for controlling low-level OS functionality. 

It can also wipe security software from the disk, creating a path for ransomware deployments. This highlights the tool’s growing sophistication and potential for causing significant harm.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial



Source link