Researchers from three separate organizations recently discovered that threat actors were deploying a malicious Windows driver that had been signed by a legitimate Microsoft developer certificate as part of post-exploitation activity, sometimes leading up to ransomware deployment.
The driver has been seen in several intrusions at a variety of organizations in the last four months, notably at telecom, financial, and MSSP companies. There are at least separate versions of the malicious driver toolkit, and one of the main things the toolkit tries to accomplish is killing off EDR and antimalware processes running on the target device. Researchers from Sophos came across the driver during an incident response, and Mandiant and SentinelOne discovered the malicious driver independently around the same time in October and reported it to MIcrosoft, which suspended the developer accounts that had been used to sign the driver.
“I can’t think of an instance where something like this has happened. The timing is coincidental, but this was clearly circulating,” said Christopher Budd, director of threat research at Sophos, said in an interview.
The activity the researchers identified was associated with several separate threat actors, some of which have been known to deploy ransomware, including the Hive and Cuba ransomware strains. One of the non-ransomware threat actors that has been using the malicious signed drivers is a group Mandiant calls UNC3944, a financially motivated group that has been employing the driver toolkit since August 2022. Some earlier versions of the toolkit, which includes two separate components known as POORTRY and STONESTOP, were signed with non-Microsoft certificates that had been stolen and used by many threat actors to sign malware.
“The toolkit contains simple protection mechanisms used to prevent its repurpose, reuse, and redistribution. The toolkit consists of two main components: a userland component (STONESTOP), and a kernel mode component (POORTRY). STONESTOP functions as both a loader/installer for POORTRY, as well as an orchestrator to instruct the driver with what actions to perform. POORTRY exposes an IOCTL interface that includes functionality to tamper with target processes supplied by the STONESTOP component,” researchers at SentinelOne said in a post detailing the malicious driver’s behavior.
Microsoft on Tuesday issued a Windows update that revoked the certificate used to sign the driver and also implemented blocking rules to prevent the malicious signed drivers from running.
“Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers. We were notified of this activity by SentinelOne, Mandiant, and Sophos on October 19, 2022, and subsequently performed an investigation into this activity,” Microsoft said in an advisory Tuesday.
“We know the bad guys watch each other and learn from each other. I certainly think others will learn from this tactic.”
“This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature. A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers’ accounts in early October. Ongoing Microsoft Threat Intelligence Center (MSTIC) analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware.”
The use of stolen certificates to sign malware or malicious drivers is by no means new or unique. A certificate stolen by the Lapsus$ group earlier this year from NVIDIA was used to sign an earlier version of the POORTRY/STONESTOP toolkit, and last year a version of the Netfilter rootkit was found to have been signed by a legitimate Microsoft certificate, too.
“The use of stolen or fraudulently obtained code signing certificates by threat actors has been a common tactic and providing these certificates or signing services has proven a lucrative niche in the underground economy. Mandiant has identified numerous threat actors and services advertising in a variety of languages, including English, Russian, and Chinese, that claim to provide code signing certificates or sign malware on behalf of threat actors,” Mandiant said in a post
Threat actors have taken to this tactic because it allows their malicious creations to get past the built-in defenses against malware in Windows.
“Because drivers pose a uniquely challenging risk to security, Windows enables Driver Signature Enforcement by default. The policy ensures that all kernel-mode drivers need to be signed in order to be loaded. If the policy is enabled and the driver is not signed, Windows will not load the driver, throw error code 577, and display a message that it cannot verify the digital signature for this file,” SophosLabs researchers Andreas Klopsch and Andrew Brandt said.
“To get around this security measure, attackers must use a signed driver, preferably one that’s signed with a currently valid key from a trustworthy source.”
This type of behavior by threat actors is unlikely to fall away anytime soon, as it’s proven to be effective.
“We know the bad guys watch each other and learn from each other. I certainly think others will learn from this tactic. It’s an effective one,” Budd said. “They’re going to refine it.”