Microsoft-Signed Malicious Drivers Usher In EDR-Killers, Ransomware

Malicious Windows drivers signed as legit by Microsoft have been spotted as part of a toolkit used to kill off security processes in post-exploitation cyber activity.

Dark, foggy outdoor silhouette of a man wielding a large cleaver. Duotone red.
Source: Ron Bailey via Alamy Stock Photo

Malicious drivers certified by Microsoft's Windows Hardware Developer Program have been used to juice post-exploitation efforts by cybercriminals, Redmond warned this week — including being used as part of a small toolkit aimed at terminating security software in target networks.

"Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature," Microsoft explained in an advisory issued on Dec. 13. "A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers' accounts in early October."

Code signing is used to provide a level of trust between the software and the operating system; as such, legitimately signed drivers can skate past normal software security checks, helping cybercriminals move laterally from device to device through a corporate network.

SIM-Swap, Ransomware Attacks

In this case, the drivers were likely used in a variety of post-exploitation activity, including deploying ransomware, the computing giant acknowledged. And Mandiant and SentinelOne, which along with Sophos jointly alerted Microsoft to the issue in October, have detailed the drivers' use in specific campaigns.

According to their findings, also issued on Dec. 13, the drivers have been used by the threat actor known as UNC3944 in "active intrusions into telecommunication, BPO [business process optimization], MSSP [managed security service provider], and financial services businesses," resulting in a variety of outcomes.

UNC3844 is a financially motivated threat group active since May that usually gains initial access to targets with phished credentials from SMS operations, according to Mandiant researchers.

"In some cases, the group’s post-compromise objectives have focused on accessing credentials or systems used to enable SIM-swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments," Mandiant detailed in a separate Dec. 13 blog post on the issue.

In service of those goals, the group was observed using the Microsoft-signed drivers as part of a toolkit designed to terminate antivirus and EDR processes. That toolkit consists of two pieces: Stonestop, a Windows userland utility that terminates processes by creating and loading a malicious driver, and Poortry, a malicious Windows driver that uses Stonestop to initiate process termination.

SentinelLabs also observed a separate threat actor using the same driver, "which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling."

To combat the threat, Microsoft has released Windows Security Updates that revoke the certificate for affected files and suspended the partners' seller accounts.

"Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.377.987.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity," the company noted in the advisory.

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights