SentinelOne observes threat actors abusing legitimately signed Microsoft drivers to intrude into telecom, BPO, MSSP, and financial services organizations. The activity centers on a two-component toolkit (STONESTOP and POORTRY) that terminates AV/EDR and can even support SIM-swapping services, with Microsoft’s MSRC issuing an advisory ADV220005 alongside Mandiant collaboration. #POORTRY #STONESTOP #Hive
Keypoints
- Threat actors abused legitimately signed Microsoft drivers to evade security products across multiple sectors including telecom, BPO, MSSP, and financial services.
- The POORTRY/STONESTOP toolkit functions to terminate security processes and tamper with target processes using a set of IOCTLs, enabling orchestration by a loader/installer.
- There were three POORTRY versions observed; v1 was unsigned, v2 was VMProtect-packed and WHQL-signed, and v3 was WHQL-signed and packed with an unidentified packer, with added file-tampering in v3.
- Operational differences across versions include packing/anti-analysis techniques, process-name handling, and extended capabilities such as file tampering and PID masking.
- The campaigns in 2022 targeted BPOs and telecoms, with broader targeting across Entertainment, Transportation, MSSP, Financial, Crypto sectors; a Hive ransomware deployment was linked to a similar driver in the medical sector.
- Detection recommendations include leveraging Authenticode metadata to identify publishers and blocklist Microsoft-signed drivers by originating publisher.
- Two competing supplier theories exist: drivers may be sold as a service or developed by compromised legitimate developers, suggesting broader ecosystem abuse of the signing process.
MITRE Techniques
- [T1218] Signed Binary Proxy Execution – Use of a Microsoft signed malicious driver to evade security products. “threat actor utilizing a Microsoft signed malicious driver to attempt evasion of multiple security products.”
- [T1562.001] Impair Defenses – Termination of AV/EDR processes via driver IOCTLs to hinder protection. “to terminate AV and EDR processes on the target endpoints.”
- [T1027] Obfuscated/Compressed Files and Information – Toolkits packed with VMProtect and an unidentified packer to hinder analysis. “The POORTRY variant of the second version of the toolkit … packed using VMProtect.”
- [T1057] Process Discovery – STONESTOP reads process names from an external configuration file and maps them to PIDs. “reads process names from an external configuration file named, for example, poyuo.pdata” and “maps the process names to PIDs.”
Indicators of Compromise
- [MD5] Version 1 sample hashes – 04a88f5974caa621cee18f34300fc08a, and 1 more hash
- [MD5] Version 2 sample hashes – 6fcf56f6ca3210ec397e55f727353c4a
- [SHA-1] Version 1 sample hash – a804ebec7e341b4d98d9e94f6e4860a55ea1638d
- [SHA-1] Version 2 sample hash – 6debce728bcff73d9d1d334df0c6b1c3735e295c
- [SHA-256] Version 1 sample hash – 9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c
- [SHA-256] Version 2 sample hash – 8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104