Connect with us

Hi, what are you looking for?



Security Firms Warn Microsoft of Signed Drivers Used to Kill EDR, AV Processes

Several cybersecurity firms have warned Microsoft that cybercriminals have been using signed malicious drivers to kill processes associated with antivirus (AV) and endpoint detection and response (EDR) products.

Several cybersecurity firms have warned Microsoft that cybercriminals have been using signed malicious drivers to kill processes associated with antivirus (AV) and endpoint detection and response (EDR) products.

Alongside its Patch Tuesday updates for December 2022, Microsoft issued an advisory to inform customers about drivers certified by its Windows Hardware Developer Program being used by threat actors in post-exploitation activity, including the deployment of ransomware.

“Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no compromise has been identified. We’ve suspended the partners’ seller accounts and implemented blocking detections to help protect customers from this threat,” the tech giant said.

“This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature,” it added.

In addition to suspending the accounts, Microsoft has released Windows security updates to revoke the abused certificates.

[ Read: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks ]

The company learned about the abuse from SentinelOne, Mandiant and Sophos. Each company published a blog post on Tuesday to describe its findings.

Advertisement. Scroll to continue reading.

SentinelOne reported seeing several attacks where a threat actor used malicious signed drivers to evade security products, which typically trust components signed by Microsoft.

The security firm saw threat actors targeting organizations in the business process outsourcing (BPO), telecommunications, entertainment, transportation, MSSP, financial and cryptocurrency sectors. In some cases, the goal was to conduct SIM swapping.

This description is similar to CrowdStrike’s recent description of a cybercrime group tracked as Scattered Spider, which targeted the same industries and had similar goals.

SentinelOne has also seen signed drivers being used to deploy the Hive ransomware against an organization in the medical industry.

The company has analyzed a small toolkit designed to terminate AV and EDR processes. The toolkit has two main components: a userland component called StoneStop and a kernel mode component called PoorTry. PoorTry is a malicious driver that has been signed by hackers, and StoneStop is its loader.

Mandiant has seen this toolkit being used by a financially motivated threat group it tracks as UNC3944, which has been active since at least May and has been using stolen credentials obtained from SMS phishing operations to gain initial access to targeted networks.

Mandiant has observed several distinct malware families, associated with different threat actors, abusing the same process to get their drivers signed by Microsoft.

One of them appears to be the Cuba ransomware, which has been linked by Sophos to attacks leveraging signed drivers to disable cybersecurity products. The group behind the Cuba operation has used a utility called BurntCigar to disable endpoint protection products. BurntCigar was initially signed with stolen certificates, then with valid certificates of shady origin, and then with legitimate Microsoft certificates.

Malicious driver signed by Microsoft

Coinciding with the alerts from Microsoft and cybersecurity firms, the US Cybersecurity and Infrastructure Security Agency (CISA) has updated its alert on the Cuba ransomware with additional indicators of compromise (IoCs).

This is not the first time threat actors have used drivers signed by Microsoft in their operations and it seems that putting a stop to this practice has not been an easy task for Microsoft, which said on Tuesday that it’s taking steps to address the issue.

Both SentinelOne and Mandiant believe the malicious signed drivers may be provided to different threat actors by one or more suppliers that specialize in offering these types of services. SentinelOne noted that this theory is supported by the similar functionality and design of drivers used by different threat groups.

Related: North Korean Hackers Exploit Dell Driver Vulnerability to Disable Windows Security

Related: Ransomware Operator Abuses Anti-Cheat Driver to Disable Antiviruses

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...