Windows drivers can be abused to bypass security measures. Attackers can exploit vulnerabilities in legitimate drivers or use stolen or forged digital signatures to load malicious drivers into the operating system’s kernel.
These drivers can then interfere with security software, disabling protections and allowing attackers to gain unauthorized access.
To mitigate these risks, Microsoft has implemented measures like driver signature enforcement and attestation signing, but attackers continue to find ways to circumvent these safeguards.
Poortry and Stonestop, a persistent threat since 2022, have been employed by various ransomware groups to bypass security measures.
The malicious kernel driver, often obfuscated with packers like VMProtect or Themida, leverages techniques like driver signature enforcement bypass to gain unauthorized access.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial
Despite Microsoft’s efforts to revoke abused certificates, the attackers have adapted by using forged signatures or leaked certificates.
Poortry’s creators have demonstrated high adaptability, frequently modifying the driver and switching signing certificates to evade detection, underscoring the importance of robust security measures to combat advanced persistent threats.
Sophos identified attackers deploying Poortry, a malicious tool, with various digital certificates to bypass security measures.
In a single attack, the threat actors used multiple Poortry variants with different certificates (“bopsoft” and “Evangel Technology”) within 30 seconds, likely to evade signature-based detection.
This tactic, called “certificate roulette,” highlights the attackers’ attempt to establish persistence and deploy additional tools like Stonestop for further malicious activity.
Poortry and Stonestop, a sophisticated EDR wiper, employ a multi-phased approach to disable security defenses, where the loader, Stonestop, checks for the driver, Poortry, in the same directory and initiates a handshake via DeviceIoControl.
Poortry then disables EDR products by modifying kernel notify routines and patching callback functions associated with security drivers.
It also detaches specific device objects from the system’s device stack to render installed filters useless, which allows the wiper to effectively impair EDR capabilities, paving the way for subsequent malicious activities.
The EDR killer first targets security-related processes by sending IOCTL requests to its kernel-mode component.
Then, it uses a list of hardcoded paths to locate and delete critical EDR files, such as EXE or DLL files, by sending another IOCTL request.
The user-mode component can operate in two modes: deleting files by type or by name, likely for flexibility in targeting different EDR products. The hardcoded paths and operation modes likely vary depending on the specific target.
Poortry, initially a tool for unhooking endpoint protection components, has significantly evolved. It now abuses stolen code-signing certificates to bypass Driver Signature Verification, providing rootkit-like capabilities for controlling low-level OS functionality.
It can also wipe security software from the disk, creating a path for ransomware deployments. This highlights the tool’s growing sophistication and potential for causing significant harm.
Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial