The Information Highway

The Information Highway

Font size: +
3 minutes reading time (545 words)

PoorTry Windows driver evolves into a full-featured EDR wiper

The malicious PoorTry kernel-mode Windows driver used by multiple ransomware gangs to turn off Endpoint Detection and Response (EDR) solutions has evolved into an EDR wiper, deleting files crucial for the operation of security solutions and making restoration harder. 

Though Trend Micro had warned about this functionality added on Poortry since May 2023, Sophos has now confirmed seeing the EDR wiping attacks in the wild.

This evolution of PoorTry from an EDR deactivator to an EDR wiper represents a very aggressive shift in tactics by ransomware actors, who now prioritize a more disruptive setup phase to ensure better outcomes in the encryption stage.

PoorTry, also known as 'BurntCigar,' was developed in 2021 as a kernel-mode driver to disable EDR and other security software.

The kit, used by several ransomware gangs, including BlackCat, Cuba, and LockBit, first gained attention when its developers found ways to get their malicious drivers signed through Microsoft's attestation signing process. Other cybercrime groups, such as Scattered Spider, were also seen utilizing the tool in breaches focused on credential theft and SIM-swapping attacks.

Throughout 2022 and 2023, Poortry continued to evolve, optimizing its code and using obfuscation tools like VMProtect, Themida, and ASMGuard to pack the driver and its loader (Stonestop) for evasion.

Evolution to a wiper

The latest report by Sophos is based on a RansomHub attack in July 2024 that employed Poortry to delete critical executable files (EXEs), dynamic link libraries (DLLs), and other essential components of security software. 

This ensures that EDR software cannot be recovered or restarted by defenders, leaving the system completely unprotected in the following encryption phase of the attack.

The process starts with the user-mode component of PoorTry, identifying the security software's installation directories and the critical files within those directories.

It then sends requests to the kernel-mode component to systematically terminate security-related processes and then delete their crucial files.

Paths to those files are hardcoded onto PoorTry, while the user-mode component supports deletion either by file name or type, giving it some operational flexibility to cover a broader range of EDR products.

Deleting by file type functionality
source: Sophos

 The malware can be fine-tuned only to delete files crucial to the EDR's operation, avoiding unnecessary noise in the risky first phases of the attack.

Sophos also notes that the latest Poortry variants employ signature timestamp manipulation to bypass security checks on Windows and use the metadata from other software like Internet Download Manager by Tonec Inc.

Driver properties
source: Sophos

 The attackers were seen employing a tactic known as "certificate roullete," where they deploy multiple variants of the same payload signed with different certificates to increase their chances that at least one will execute successfully.

Various certificates used for signing the Poortry driver over time
source: Sophos

Despite efforts to track PoorTry's evolution and stop its effectiveness, the developers of the tool have shown a remarkable ability to adapt to new defense measures.

The EDR wiping functionality gives the tool an edge over defenders responding to attacks but could also provide new opportunities for detecting the attacks in the pre-encryption phase.

Windows 10 KB5041582 update released with 5 change...
DICK'S shuts down email, locks employee accounts a...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023