“The receding effectiveness of code signing represents a threat to security and verification mechanisms at all OS layers,” says the cybersecurity company’s researchers
US-Israeli cybersecurity company SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.
Investigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.
The company first reported its discovery to Microsoft’s Security Response Center (MSRC) in October 2022 and received an official case number.
In multiple recent investigations, SentinelOne’s Vigilance DFIR team observed a threat actor utilizing a Microsoft signed malicious driver to attempt evasion of multiple security products.
In subsequent sightings, the driver was used with a separate userland executable to attempt to control, pause, and kill various processes on the target endpoints. In some cases, the threat actor’s intent was to ultimately provide SIM swapping services.
In 2022, the actors were involved in a variety of intrusions heavily targeting Business Process Outsourcing (BPO) and Telecommunications businesses. Additional targeting includes the Entertainment, Transportation, Managed Security Service Providers (MSSP), Financial, and Cryptocurrency sectors.
Notably, SentinelLabs observed a separate threat actor also utilizing a similar Microsoft signed driver, which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling.
Abusing Trust with Signed Drivers
The main issue with this process is that most security solutions implicitly trust anything signed by only Microsoft, especially kernel mode drivers. Starting with Windows 10, Microsoft began requiring all kernel mode drivers to be signed using the Windows Hardware Developer Center Dashboard portal.
Anything not signed through this process is not able to load in modern Windows versions. While the intent of this new requirement was to have stricter control and visibility over drivers operating at the kernel level, threat actors have realized if they can game the process they would have free reign to do what they want.
The trick however, is to develop a driver that doesn’t appear to be malicious to the security checks implemented by Microsoft during the review process.
This is not the first time a malicious kernel mode driver has been signed by Microsoft. In June 2021, GData published a blog on a malicious Netfilter rootkit signed through the same process described above. Microsoft subsequently acknowledged this and stated they “…will be sharing an update on how we are refining our partner access policies, validation and the signing process to further enhance our protections.”
Our Supplier Theory
We are highly confident that the malicious drivers mentioned above, as well as the one from June 2021, were used by different threat actors. This raises an important question: Is the driver signing process being exploited by a supplier(s) and offered as a service available to various threat actors willing to pay?
A competing theory is that multiple threat actors have compromised legitimate driver developers and surreptitiously used their EV certificate to sign and submit the malicious drivers using their developer account. However, this scenario is less likely due to the requirement that EV private keys be stored on a physical hardware token intended to help prevent digital theft.
Other evidence supporting the ‘supplier’ theory stems from the similar functionality and design of the drivers. While they were used by two different threat actors, they functioned in very much the same way. This indicates they were possibly developed by the same person then subsequently sold for use by someone else.
Code signing mechanisms are an important feature in modern operating systems. The introduction of driver signing enforcement was key in stemming the tide of rootkits for years. The receding effectiveness of code signing represents a threat to security and verification mechanisms at all OS layers.
We hope that Microsoft will take steps to consider further enhancements to bolster the security of their signing process to help maintain the implicit trust placed in Microsoft-signed drivers.
In the meantime, we continue to monitor the abuse of signed drivers in collaboration with Mandiant researchers. We hope defenders will prioritize these TTPs to bolster their defenses.
**The above is a shortened version of the SentinelOne report “Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers.” Read the full report