Ransomware attack using Microsoft-signed ransomware drivers for Windows

Microsoft has suspended several Microsoft Hardware Developer accounts following ransomware attacks and cyberattacks on drivers who signed into their profiles.

This information was shared by and . and . Researchers explain that malicious kernel-mode drivers are being used by threat actors. Their trust has been verified using Authenticode signatures obtained from .

Microsoft was notified that malicious post-exploitation activities were taking place using drivers from the Windows Hardware Developer Program. These attacks were carried out by an attacker who had previously gained administrative rights on the compromised system before the driver was used,” explained Microsoft.

SentinelOne and Mandiant notified us of the activity on October 19, 2022. We then conducted an investigation.”

This investigation found that multiple developer accounts at the Microsoft Partner Center had submitted malicious drivers in order to get a Microsoft signature.

“Another attempt to submit a malicious driver for signature on September 29, 2022 led to the early October suspension of sellers’ accounts.”

Register kernel-mode drivers

The kernel-mode drivers for Windows are automatically loaded and gain the most privileges.

Drivers may be able to execute malicious tasks that are not allowed to users-mode apps. These actions can include terminating security software and deleting protected files. They also allow a driver to act as rootkits in order to conceal other processes.

Microsoft requires kernel-mode drivers of hardware to sign via Microsoft’s Windows Hardware Developer Program since Windows 10.

Developers must purchase an extended validation certificate (EV), complete an identification process and submit drivers that have been vetted. Many security platforms trust the code signed by Microsoft via this program.

Microsoft is offering a rare opportunity to obtain a kernel mode driver to be used in malign campaigns.

Use Toolkit to end security software

Researchers today released reports describing how they discovered a toolkit that included two components, STONESTOP (loader), and POORTRY(kernel mode driver), which were used to attack “bring-your-own vulnerable driver” (BYOVD).

SentinelOne and Mandiant say that STONESTOP, a user mode application, attempts to endpoint security software programs on devices. A second variant allows you to delete and overwrite files.

STONESTOP loads and signs the Microsoft POORTRY kernel mode driver to end the protected Windows processes.

SentinelLabs reports that “STONESTOP acts as both an installer/loader for POORTRY as well as an orchestrator, to direct the driver in what actions to take.”

These are linked to SIM swappers and ransomware

These three companies were able to see the tools used by various threat actors.

Sophos Rapid Response Team ended an attack during an incident response engagement, before hackers could distribute final payload.

Sophos, however, has given this attack with “high confidence” to the . This operation previously employed a version of this malware.

Sophos explains that threat actors linked to Cuba ransomware have used the BURNTCIGAR utility to infect a malignant driver using Microsoft’s certificate.

SentinelOne also saw this Microsoft-signed toolkit being used to attack financial service, telecommunications, BPO and MSSP businesses. They saw the attack on a medical company using it in one instance.

SentinelLabs discovered that a different threat actor was also using a Microsoft-signed driver. This resulted is Hive ransomware being deployed against a medical target. It’s possible this indicates that other actors have access to the same tooling.

Mandiant however, identified UNC3944 as the threat actor who used the toolkit to launch attacks in August 2022. UNC3944 is well-known for SIM swapping and other attacks.

Mandiant observed using malware after it was signed through the attestation process. “UNC3944, a financial motivated threat group, has been active at least since May 2022. It often gains network access by using stolen credentials from SMS phishing operation,” Mandiant’s detailed report states.

It is not clear how many threat groups are using signed drivers.

SentinelOne and Mandiant believe that the toolkit or, at the very least, the code-signing is from a supplier.

The similarity in functionality and design among the driver’s vehicles is another evidence that supports the theory of a’supplier. They were both used by different threats actors but they worked in the exact same manner. They could have been created by one person and then sold to another. – SentinelOne.

Mandiant claims they can extract these names from the organizations that signed the submissions of driver drivers to Microsoft.

Qi Lijun Luck Bigger Technology Co.. Ltd XinSing Network Service Co.. Ltd Hangzhou Shunwang Technology Co.. Ltd. Fujian Altron Interactive Entertainment Technology Co.. Ltd. Xiamen Hengxin Excellence Network Technology Co.. Ltd. Dalian Zongmeng Network Technology Co.. Ltd.

Microsoft responds

Microsoft released security updates that revoke certificates created by malicious programs and already suspended accounts which submitted drivers for signing.

To detect genuine drivers signed in attacks, Microsoft Defender Signatures (1.377.987.0 have been also released.

Microsoft explained that Microsoft is working with Microsoft Active Protections Program partners to develop additional detections and better protect shared customers.

The Microsoft Partner Center also works on long-term solutions for these misleading practices to prevent any future customer impact.”

Microsoft is yet to disclose how malicious drivers were able to pass the initial review.

BleepingComputer reached out to Microsoft to ask more questions regarding the review and advisory process, but Microsoft did not respond.