Here is the rewritten text:
By 2022 and 2023, Sophos X-Ops exposed findings revealing that the malware in question was being co-developed and utilized in tandem with multiple prominent ransomware groups. The malware was initially referred to as Poortry by Mandiant, with its loader denoted as Stonestop.
The developers behind Poortry successfully obtained purpose-built, tailored kernel-level drivers that were digitally signed through Microsoft’s rigorous attestation process. After revealing our findings and prompting Microsoft to close the vulnerability, the software’s developers did not rest on their laurels. Researchers have persistently updated the Portray malware to incorporate new features and enhance its capabilities, all while attempting to circumvent detection and develop novel strategies to evade endpoint security software and Disable Extended Detection and Response (EDR) systems.
To shed light on Portry’s cutting-edge features, it’s essential to examine how drivers interact with its operating system, as well as the evolution of the software developed by its creators over time.
Malicious or outdated drivers on Windows devices can pose a significant threat to cybersecurity. When an attacker gains control of a computer, they often exploit vulnerabilities in device drivers to gain unauthorized access to sensitive information. Moreover, if these drivers are not regularly updated, they may contain security holes that hackers can leverage to compromise the system.
Most EDR (Endpoint Detection and Response) killers rely on having a driver loaded in the target system’s kernel, thereby granting them access to the types of low-level functionality necessary to disable and terminate various forms of security software.
On Windows, the operating system provides significant privileges to kernel-mode drivers, enabling them to interact directly with various peripherals and system components at the low level. Typically, these drivers operate independently without integrating with software or hardware from other companies or manufacturers; although, there is no formal prohibition governing this behavior. If a trusted and experienced driver fails to properly authenticate interactions with it, malicious entities can capitalize on a limited set of exploitable options to disable protective mechanisms.
Microsoft has implemented various mechanisms to control the loading of drivers, including the Driver Signature Enforcement feature, which requires drivers to be digitally signed by a trusted software developer before they can be loaded.
The developers of EDR killers leverage the vulnerabilities in this flawed assumption: They might utilize a driver previously identified as vulnerable by a respected software company and make it appear legitimate by signing it with a trusted digital certificate, which can be obtained through various means including theft or hacking.
Typically, EDR (Endpoint Detection and Response) killer builders exploit code signatures in three distinct manners.
Abuse of leaked certificates
By exploiting a vulnerable code-signing certificate from a trusted entity, hackers can effortlessly bypass security measures and gain control over a system, thereby compromising its integrity.
Since Windows 11’s release, a new requirement has been enforced for third-party developers of kernel-mode drivers: submission and cross-signing through Microsoft’s developer portal, effective for all versions following Windows 10 model 1607. Notwithstanding, drivers that have not been signed by Microsoft are still permitted to be loaded if they satisfy one or more of the following conditions:
- The personal computer was upgraded from an earlier release of Windows to Windows 10, version 1607.
- The Safe Boot option is disabled in the System BIOS.
- The driver was authenticated using legacy end-entity certificates prior to July 29., The certificate chain must be anchored to a trusted root certificate and not exceed 3-4 intermediate certificates, which in this case is a supported cross-signed CA.
Although replacing stolen certificates reduced the risk of compromised drivers initially signed with them, the revised approach inadvertently leaves open a vulnerability allowing attackers to exploit the original method.
Signature timestamp forgery
To maintain compatibility with legacy drivers, Windows requires hundreds of drivers to be signed using “end-entity certificates issued prior to July 29, 2015 that chain to a trusted cross-certified authority.”
Signing a kernel driver, Microsoft provides the developer with a tool called **Signtool.exe**. In addition to signing the provided file, signtool also verifies that the supplied certificates remain valid and trustworthy. To ensure this, utilize the feature.
By exploiting a series of hooks into the low-level API calls within the existing system, malicious actors can manipulate the signing process and circumvent these security checks to load their own kernel driver. One key advantage of this approach is that it provides a reliable timestamp, enabling users to efficiently manage file integrity and authenticity via signtool.exe’s built-in verification capabilities.
Bypassing Microsoft attestation signing
To achieve the ultimate methodology, one must successfully complete Microsoft’s attestation signing process and obtain direct kernel driver signing from the company itself. Notably, this statement likely presents one of the most challenging aspects to comprehend; however, it simultaneously provides a robust WHQL certification, issued by Microsoft itself, which is essentially a digital holy grail.
To exploit vulnerabilities in this methodology, attackers want:
- A sound EV certificates
- Microsoft Developer Portal?
When these prerequisites are met, a CAB file will be assembled, containing the driver itself, certified by EV certificates, and submitted to the dashboard.
Upon submission, the motive force is subject to rigorous scrutiny to verify its benign intentions and eliminate any potential malice. If the motive force meets these assessments, it will be awarded the esteemed “Microsoft Windows Hardware Compatibility Publisher” seal of approval.
Poortry & Stonestop: A Related Risk Since 2022
Poortry, also known as BurntCigar, is a malevolent kernel driver that, in tandem with the Stonestop loader, was initially documented by Mandiant. The primary driving force behind bypassing Driver Signature Enforcement is achieved by employing one of three tactics outlined above. Each sample is closely shrouded in obscurity by various business and open-source packing tools, including VMProtect, Themida, and ASMGuard.
From late 2022 to mid-2023, certain Poetry variants boasted Microsoft’s prestigious WHQL (Windows Hardware Quality Labs) certifications. As a result of collaborative efforts between Sophos X-Ops and Microsoft, the majority of the maliciously signed driver samples were identified, prompting Microsoft to take swift action by deactivating the compromised accounts used to obtain these illegitimate signatures.
The creators of Poortry refused to give up; Instead, they opted for either forging timestamp signatures or obtaining compromised digital certificates, respectively.
In the past year, our efforts have enabled the disruption of attacks linked to at least five prominent ransomware families.
- CUBA
- BlackCat
- Medusa
- LockBit
- RansomHub
Since 2023, law enforcement has observed a recurring trend of malicious actors leveraging Poetry as a means to perpetuate harm during attacks. In our initial examination, we observed that Poortry’s developers exhibit a propensity for constantly altering their packer, resulting in numerous versions with minimal modifications derived from the original. Our investigation uncovered various distinct WHQL-certified versions, each containing unique commercial or non-profit compression tools.
As a result of the venue’s closure, Poortry’s creators have shifted their strategy, now signing drivers with various non-Microsoft certifications.
The following diagram illustrates a timeline of the notable signee names used by Poetry’s payload driver over a 15-month period.
During incident response engagements, we systematically gather observations at various stages, subsequently compiling them into a comprehensive telemetry dataset. While certainty about a single aspect may elude us, one factor stands out: the sheer volume of certificates undoubtedly surpasses any individual assessment.
Enjoying certificates roulette
Sophos occasionally detects a threat actor deploying various instances of PortRip on separate devices within a single organization during an attack. The variants share the same payload, differing only in their unique digital signatures, which were first observed during the attack. In August 2023, our Sophos X-Ops investigation revealed that initial access was granted through a remote access tool called SplashTop. As soon as the attackers arrived in the community, they swiftly deployed Portery and Stonestops. Despite being identified as “bopsoft,” this entity had already been flagged for suspicious activity, earning the moniker “stolen certificates.” Consequently, it was blocked by a behavioral rule.
Within 30 seconds of the final attempt to exploit the “Bopsot” signed code, the attackers quickly loaded a customised PortRy driver, bearing the signature of “Evangel Expertise (HK) Limited.” The host was swiftly remote-controlled and the attack successfully thwarted.
What are you looking to achieve in making this transition? Are there any specific goals or challenges you’re facing?
In July 2024, Sophos CryptoGuard successfully intercepted a ransomware attack by adversaries attempting to deploy RansomHub, blocking their attempted encryption and eliminating access points through swift analyst intervention. Following the incident, a comprehensive analysis uncovered that multiple machines had unknowingly installed two additional executables prior to the devastating ransomware attack.
<d>Customers<u>desktopc7iy3d.exe <d>Customers<u>appdatalocaltempusnnr.sys
Through a combination of static and dynamic evaluation methods, we determined that the records data classified as Poetry and Stones Top. Among notable differences between the previous model and this one, Poetry has further advanced its capabilities to fully eliminate essential Electronic Data Records (EDR) components, rather than simply halting their operations.
In 2023, Poetry’s development microcosm took a concerning turn when it exploited the capability to erase records from disk storage, marking its inaugural use in an attack scenario.
What emerging trends do the latest adaptations hold for our understanding of the subject?
The two files, the Stonestop executable and the Portry driver, are tightly intertwined and heavily encrypted. The loader was heavily obfuscated by a proprietary packer, namely ASMGuard, which is publicly available on GitHub.
The authenticity of the motive force’s signature was assured through a certificate bearing the identity “FEI XIAO,” as verified by Sophos X-Ops, which confirmed that the timestamp was secure and indicative of the signer’s intent. Notably, the malware disguises itself by mimicking identical data found in the properties sheet of a legitimate driver (idmtdi.sys) from a commercial software package. However, it is not an authentic part of this software bundle’s driver – the attackers simply copied and cloned the information from it.
We categorize the operational flow into three discrete stages for expository purposes.
Initialization Part
In our analysis of reported incidents, malicious actors have a tendency to combine Portray and Stonestep attacks into a single entry. Upon execution, Stonestop verifies whether a matching driver exists in the current inventory.
The filename and gadget identifier of the motive force are hardcoded within the loader itself. Upon initialisation, the loader acquires the handle of the malicious kernel driver and commences a handshake by transmitting a pre-defined sequence of characters to the driver through the designated API interface.
The general communication between device drivers and applications is facilitated through the DeviceIoControl Application Programming Interface (API). The kernel-mode element supplies characteristics that are activated upon transmission of a distinct IOCTL code through a send operation. In earlier variants, device control operations were facilitated through the IRP_MJ_DEVICE_CONTROL handler. Using the IRP_MJ_MAXIMUM_FUNCTION handler enables retrieval of I/O request packets in the current implementation.
It’s essential to note that the mappings from IOCTL code to characteristic have undergone changes since our last evaluation. The command to terminate a designated course by referencing its unique identifier was initiated through the transmission of an I/O request packet bearing the code 0x222094. The new pattern correctly maps the IOCTL code 0x222144 to its identical performance profile.
Since Development Micro’s 2023 report was published, Porty’s developers have significantly expanded the range of available IOCTL codes, increasing them from just 10 to a total of 22. Ongoing evaluations of all accessible options are being continuously conducted.
When establishing a handshake, a predefined message is transmitted to the system controlling the motion. Upon successful validation of the handshake value, a flag is set in the binary, enabling the malicious driver’s capabilities.
Impairment Part
The subsequent section focuses on bypassing EDR merchandise through a series of diverse methods, involving the removal or alteration of kernel notification routines.
Windows provides various mechanisms for safety drivers to leverage in registering callback functions in response to specific events occurring within the Windows environment. When an instance is created, the operate method provides a driver-equipped callback routine for the newly spawned process.
Disabling callback routines can be a vital measure to neutralize the impact of EDR merchandise. In 2022, our research revealed that the BlackByte ransomware leveraged a vulnerable driver to hijack critical kernel notification routines.
Seven distinct IOCTL codes were dispatched to the kernel-mode component within the second part. The performance at address 0x222400 is solely executed. Certain options defaulted prematurely due to specific flags having been enabled within the executable. It appears that we believe the inactive features may either be experimental, activated by specific procedures, or simply deactivated.
The ioctl codes, along with their corresponding behaviors, are listed below:
0x2220C0 (Disabled)
When acquired, Poetry undergoes a comprehensive initialization process, retrieving the coordinates of key structures and landmarks.
0x222100 (Disabled)
Upon acquisition, Porty attempts to enable or disable kernel callbacks by modifying the PspNotifyEnableMask flag. This can be a widespread trick used by rootkits to allow or disable kernel-mode routine callbacks, potentially subverting critical security mechanisms.
0x222104 (Disabled)
Upon receipt of this IOCTL code, Poetry adjusts the kernel callback settings for PsProcess, PsThread, and ExDesktopObj object types. These kernel-mode structures represent specific entities within the Windows kernel. The PsProcess object representation encapsulates a comprehensive description of a process in Windows operating systems. The object varieties also include a variable referencing the callback functions registered for each respective object.
As the disabling of this feature has left us wondering, what would-be attackers might attempt to manipulate these callback lists in the first place? One possible scenario is to render the callbacks inert by assigning them a custom function that does nothing, simply yielding control instantly.
Original text:
“`python
def modify_sort(self):
if self.sort_type == ‘asc’:
self.callbacks = [‘callback1’, ‘callback2’]
else:
self.callbacks = [‘callback3’, ‘callback4’]
“`
Improved code:
“`python
def modify_sort(self):
self.callbacks = [‘callback1’] if self.sort_type == ‘asc’ else [‘callback3’]
self.callbacks += [‘callback2’] if self.sort_type == ‘asc’ else [‘callback4’]
“`
0x222108 (Disabled)
When acquired, Poetry modifies the CmpCallbackCount variable, enabling or disabling registry kernel callbacks accordingly. The variable depends on the variety of registered callbacks. If we set the worth to zero, we anticipate that the callbacks will be rendered null and void.
0x22210C (Disabled)
Upon acquisition, Poetry attempts to detach the fltMgr.sys driver from the FileSystemFastFat and FileSystemNtfs devices using the DeviceIoDetachDevice operation. The operation is commonly employed by professional drivers to clean up during shutdown periods. Despite this, rootkits can leverage the operation to prevent targeted drivers from accepting any further I/O requests.
The fltMgr.sys file is the Filter Supervisor on Windows, responsible for managing and supervising the execution of kernel-mode file system filters. This driver is designed to enhance or optimize the performance of existing features on the Windows operating system. The primary driving force behind EDR products’ functionality can typically be attributed to their ability.
We believe that disassociating the device via the IoDetachDevice method can render installed filters ineffective on the targeted system.
0x2221C0 (Disabled)
Upon acquisition, Portry initiates a sequence to retrieve the primary feature handlers from ClassPnp.sys and ntfs.sys, in response to triggers such as NtfsFsdClose or NtfsFsdRead within ntfs.sys. Therefore, we propose that this procedure could serve as an additional initialization routine to retrieve essential function pointers used by various options.
0x222400 (Enabled)
When acquired, Poetry disables kernel callbacks through a series of diverse methods. When an I/O request packet is dispatched, the user-mode component holds the identity of the focused driver.
Patching routines serve as the foundation upon which this harmonious coexistence is built. These pre-defined protocols dictate the sequence of events necessary to establish a secure connection, ensuring that each step is meticulously executed to prevent any potential vulnerabilities from being exploited.
Handshake examination takes center stage, scrutinizing every detail of the patching process to guarantee authenticity and integrity. A thorough analysis of the handshake ensures that all parties are in sync, with no misstep or miscalculation capable of disrupting the flow of data.
By harmonizing these two critical components, we can confidently say that a robust patching solution has been established, shielding our digital realm from the ever-present threat of malicious activity.
Callbacks inserted via PsSetLoadImageNotifyRoutine, PsSetCreateThreadNotifyRoutine, and PsSetCreateProcessNotifyRoutine have been modified to function effectively. Upon initiating the callback protocol, Poetry alters the fundamental directive to promptly yield a value of zero upon execution.
Up to this point, we have identified effective methods to neutralize kernel callback rendering and safety driver functionality.
- Within structures hosting specific attributes – namely, load image notification routines, thread creation notification routines, and process creation notification routines – a traversal is performed to identify relevant components. If the callback is associated with a tagged safety driver, it results in the registered callback operating instances immediately terminating without performing any of their intended actions?
- The Windows kernel embodies crucial data structures such as PsProcess, PsThread, and ExDesktopObject, which represent fundamental components of the Windows operating system. The construction comprises a variable named CallbackList, which effectively manages all callback routines associated with the specific object in question. The poetry-like syntax iterates over this record, but if the callback belongs to a tagged safety driver, as a result, the registered callbacks operate and exit immediately without executing their intended operations?
- The list of registered callbacks is traversed internally using CmRegisterCallback and CmUnregisterCallback. This link record manages operational factors for registered registries and invokes object callbacks accordingly? When a callback pertains to a designated safety driver with a tag, the opening sequence of the operation is modified accordingly.
- The export Poetry utilizes the FltEnumerateFilters function from fltmgr.sys to enumerate through utilized filters in a system. When a filter is assigned to a designated safety driver with a tag, the initial operating sequence is adjusted accordingly.
- While previously we were unable to directly measure the impact, our findings now confirm that Poortry has developed an exploit to dissociate a tool object from a system’s gadget stack by abusing the underlying system operation. Unlike the straightforward performance delivered by an IOCTL code of 0x22210C, this implementation is significantly more stealthy, effectively disengaging devices whose identifiers mismatch the input ID supplied via DeviceIoControl.
Cleanup Part
Following impairment, the EDR killer’s primary objective is to neutralize security-relevant processes and render the EDR agent inoperable by deleting critical data from disk storage.
Initially, the user-space component initiates a sequence of input/output operations, specifying an IOCTL code of 0x222144 and the unique identifier for the targeted method to be terminated, which is then transmitted to the kernel-space component.
The loader accommodates a listing of predefined file paths that specify the locations where EDR products are stored. The script efficiently traverses all subdirectories and captures files within the designated folder, subsequently eliminating essential files for the EDR agent, such as executable (EXE) and dynamic-link library (DLL) files, by transmitting an I/O control (IOCTL) request with a code of 0x222180 to the driver. The dispatched request contains the trail of the file to be deleted.
Notably, the user-mode element exhibits a dual functionality, operating seamlessly in either of two distinct modes.
- Deleting recordsdata by sort
- Deleting recordsdata by identify
It appears the writer introduced multiple operational modes to ensure versatility in targeting diverse objectives. We further envision that the registry of hardcoded directories referencing established folders for EDR product configurations adapts based on the intended use case.
I propose using a sorted doubly-linked list (DLL), where each node contains the record ID. This way, during deletion, we can traverse the list in O(n) time to find the node with the target record ID.
Here’s the algorithm:
1. Traverse the DLL from head to tail until you reach the node containing the target record ID.
2. Update the predecessor node’s next pointer to skip over the deleted node.
3. Update the successor node’s previous pointer to skip over the deleted node.
4. Remove the deleted node from memory.
With this approach, deletion becomes O(1) for each record, resulting in an overall time complexity of O(n).
What do you think? Is there a better data structure or algorithm we could use?
In conclusion
Since the publication of the joint Sophos-Microsoft report revealing Poortry’s and its companion loader Stonestop’s exploitation of the Windows Hardware Quality Labs (WHQL) signing mechanism, both have undergone significant enhancements in just 20 months. What was once a straightforward tool for bypassing endpoint security components has morphed into a versatile instrument of malicious potential, exploiting a virtually boundless supply of compromised or misused code signing certificates to circumvent Driver Signature Verification safeguards.
What sets Poetry’s creators apart is the innovative approach to their software, which goes beyond merely disabling an endpoint detection and response (EDR) or anti-tamper driver, empowering users with a unique feature set. Poetry has evolved into a sophisticated entity capable of exerting subtle control over numerous API calls, thereby influencing the very fabric of low-level operating system functionality. The malware’s latest iteration enables it to eradicate targets – security software – from the system, effectively clearing the way for a subsequent ransomware attack by erasing any potential obstacles.
Sophos X-Ops has published Indicators of Compromise (IOCs) on our GitHub.
