Contactez-nous Suivez-nous sur Twitter En francais English Language

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Driving through defences: Targeted attacks leverage signed malicious Microsoft drivers

December 2022 by SentinelOne

In multiple recent investigations, SentinelOne’s Vigilance DFIR team observed a threat actor utilising a Microsoft signed malicious driver to attempt evasion of multiple security products. In subsequent sightings, the driver was used with a separate userland executable to attempt to control, pause, and kill various processes on the target endpoints. In some cases, the threat actor’s intent was to ultimately provide SIM swapping services.

In 2022, the actors were involved in a variety of intrusions, heavily targeting Business Process Outsourcing (BPO) and telecommunications businesses. Additional targeting includes the entertainment, transportation, Managed Security Service Providers (MSSP), financial, and cryptocurrency sectors.

Notably, SentinelLabs observed a separate threat actor also utilising a similar Microsoft signed driver, which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling.

Key findings:
• SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.
• Investigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.
• This discovery was first reported to Microsoft’s Security Response Center (MSRC) in October 2022 and SentinelOne received an official case number (75361). Today, MSRC released an associated advisory under ADV220005.

Code signing mechanisms are an important feature in modern operating systems. The introduction of driver signing enforcement was key in stemming the tide of rootkits for years. The receding effectiveness of code signing represents a threat to security and verification mechanisms at all OS layers. It is hoped that Microsoft will take steps to consider further enhancements to bolster the security of their signing process to help maintain the implicit trust placed in Microsoft-signed drivers.

See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts