Tool used by ransomware groups now seen killing EDR: Report

Defenders are being warned that a tool used by several ransomware gangs to sabotage the functions of endpoint protection software has been updated, with at least one attacker using a new capability to wipe endpoint detection and response (EDR) software from a victim’s IT system.

Researchers at Sophos said this month they saw evidence during an investigation of an attack in July that the toolset — which has been dubbed Poortry or BurntCigar by some researchers – was used to delete EDR components completely, instead of just terminating their processes as in previous attacks. This will help clear the way for installation of ransomware.

While Trend Micro last year reported Poortry had added this feature, Sophos said this was the first time the cybersecurity company had seen the EDR-killing capability used.

Poortry/BurntCigar, first discovered by Mandiant, is a malicious kernel driver used in conjunction with a loader dubbed Stonestop that attempts to bypasses Microsoft Driver Signature Enforcement. Both the driver and the loader are heavily obfuscated by commercial or open-source packers, such as VMProtect, Themida or ASMGuard.

The driver tries to disguise itself by using the same information in its properties sheet as a driver for a commercially available program called Internet Download Manager, by Tonec Inc.. But, Sophos said, it isn’t this software package’s driver – the attackers merely cloned the information from it.

Ransomware gangs known to use Poortry include Cuba, BlackCat, Medusa, LockBit and RansomHub, Sophos says.

The Sophos report stressed that since Microsoft closed a loophole that allowed the Poortry creators to use custom kernel-level drivers signed through Microsoft’s attestation signing process, the developers have added new features and functions to evade detection.

These include using Signature Timestamp Forging or obtaining a valid leaked non-Microsoft digital certificate, the report said. In the past 17 months, threat actors swapped the signing certificate they used for their executables at least nine times.

Sophos has seen a threat actor deploy variants of Poortry on different machines within a single estate during an attack. These variants contain the same payload, but are signed with a different certificate than the driver first used during the attack. In August 2023, for example, attackers initially got into an organization through a remote access tool named SplashTop. As soon as the attackers were on the network, they deployed Poortry and Stonestop. Fortunately, in this case the signer name, “bopsoft,” was already known as a stolen certificate, and was blocked by the target firm’s defenses.

But within 30 seconds, the attackers loaded a different Poortry driver, this one signed by “Evangel Technology (HK) Limited.” This attempt, too, was blocked.

In another recent attack Sophos investigated, the Poortry loader was signed with a certificate with the name “FEI XIAO” and dated Thursday, August 8. Sophos said it has “high confidence” the timestamp was forged.

“What was once a relatively simple tool for unhooking ‘troublesome’ endpoint protection components has become, in and of itself, a Swiss Army Knife of malicious capabilities abusing a virtually limitless supply of stolen or improperly used code signing certificates in order to bypass Driver Signature Verification protections,” Sophos said.

In addition to the EDR-killing power, Sophos said Poortry has evolved into something akin to a rootkit that also has finite controls over a number of different API calls used to control low-level operating system functionality.