EDR Killer Tool ‘Poortry’ Evolving: Now Targets Critical Windows Security Components
On August 27, 2024, Sophos X-Ops released an in-depth report detailing the continued evolution of the ‘Poortry’ toolset, a malicious EDR (Endpoint Detection and Response) killer used by several ransomware gangs.
Introduction
On August 27, 2024, Sophos X-Ops released an in-depth report detailing the continued evolution of the ‘Poortry’ toolset, a malicious EDR (Endpoint Detection and Response) killer used by several ransomware gangs. This tool, which has been monitored by cybersecurity researchers since 2022, is now equipped with advanced capabilities that allow it to sabotage Windows security mechanisms and pave the way for ransomware deployment.
Report Overview
Poortry, first reported by Mandiant, is a sophisticated kernel-level driver used in conjunction with a loader named Stonestop. The tool was initially designed to bypass Driver Signature Enforcement, a crucial security measure in Windows operating systems. The attackers behind Poortry exploited various vulnerabilities to have their malicious drivers signed by Microsoft, enabling them to be loaded without detection.
Sophos X-Ops, in collaboration with Microsoft, identified and neutralized many of these signed drivers in 2022 and 2023. However, the attackers have continuously updated Poortry, incorporating new methods to evade detection and disable endpoint protection software.
Poortry's effectiveness hinges on its ability to interact with the Windows kernel through malicious drivers. These drivers, often signed with stolen or leaked certificates, gain low-level access to the operating system, allowing them to manipulate or disable critical security features. The three primary methods used by Poortry to achieve this are:
- Abuse of Leaked Certificates: Attackers use compromised certificates from legitimate companies to sign their drivers, exploiting a loophole in Windows that allows older drivers to be loaded without the latest security checks.
- Signature Timestamp Forgery: By manipulating the signing process, attackers can forge timestamps to make their malicious drivers appear as though they were signed with valid certificates before certain security updates.
- Bypassing Microsoft Attestation Signing: In some cases, attackers have managed to pass Microsoft’s attestation signing process, obtaining a WHQL (Windows Hardware Quality Labs) certificate, which provides the highest level of trust in the Windows ecosystem.
The evolution of Poortry poses significant risks to organizations, particularly those targeted by ransomware groups such as BlackCat, LockBit, and Medusa. The tool’s ability to not only disable but also completely wipe out security software from infected systems makes it a potent threat. With Poortry's continued development, the attackers have refined it into a multi-functional rootkit that can render a system’s EDR and antivirus measures useless, allowing ransomware to be deployed unimpeded.
Insights and Analysis
Organizations must ensure that their security solutions are regularly updated and capable of detecting and blocking such advanced threats. Implementing strict controls on the installation of third-party drivers, maintaining up-to-date backups, and conducting regular security audits are essential steps in mitigating the risk posed by Poortry and similar tools.
Conclusion and Call to Action
Poortry's ongoing development highlights the persistent and evolving nature of threats faced by modern organizations. What began as a simple tool to unhook security components has now evolved into a comprehensive weapon against Windows-based defenses. The cybersecurity community must remain vigilant, continuously adapting to these emerging threats to protect against potential breaches
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| c7iy3d.exe | File Name | Malicious executable dropped by Poortry during ransomware deployment. |
| usnnr.sys | File Name | Malicious kernel driver associated with Poortry, used in attacks. |
| FEI XIAO | Certificate | Forged signing certificate used by Poortry for driver signing. |
| Evangel Technology (HK) Limited | Certificate | Stolen certificate used to sign Poortry driver in an attack. |
| Bopsoft | Certificate | Another stolen certificate used to sign Poortry driver. |
MITRE ATT&CK TTPs
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Defense Evasion | Signed Binary Proxy Execution | T1218 | Poortry uses legitimate signed drivers to execute malicious actions. |
| Defense Evasion | Use Alternate Authentication Material | T1550 | Exploitation of stolen or leaked certificates for driver signing. |
| Defense Evasion | Process Injection | T1055 | Poortry may use process injection to evade defenses by running its code within other processes. |
| Persistence, Privilege Escalation | Boot or Logon Autostart Execution | T1547 | Poortry’s driver operates at boot or logon to ensure persistence. |
References
Andreas Klopsch
Comments ()