FortiGuard Labs is aware that Microsoft recently disclosed that threat actors had used Windows drivers certified by Microsoft maliciously, which prompted them to revoke their signing certificates. According to the Microsoft’s advisory, the malicious drivers were used for post-exploitation activities including ransomware deployment to compromised machines. Separate reports indicate malicious signed-driver named “POORTRY” and STONESTOP malware was used to terminate processes belonging to AV and EDR solutions. Why is this Significant?This is significant because malicious drivers legitimately signed by Microsoft are trusted by the operating system and the use of such drivers allows attackers to perform activities with highest privileges on compromised machines. One of the reported activities include the deployment of Cuba ransomware. Other reports indicate threat actors used “POORTRY”, a malicious driver signed by Microsoft, and STONESTOP malware to terminate processes belonging to AV and EDR solutions.Microsoft’s advisory states that they suspended developer accounts that were likely abused by threat actors to get Microsoft to sign malicious files through a legitimate process. Also, Microsoft revoked signing certificates used to sign the malicious files.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures for the reported and available samples involved in the incident:W64/BURNTCIGAR.BQ!trW64/BURNTCIGAR.CA!trW64/BURNTCIGAR.CB!trW64/Agent.ARD!trRiskware/BURNTCIGARW32/PossibleThreat
Threat Actors Abused Signed Microsoft Drivers
Read Time:1 Minute, 5 Second