The malware known as “POORTRY” that Microsoft, Mandiant, Sophos, and SentinelOne discovered in ransomware attacks late last year has been upgraded by the Trend Micro driver.
A Windows kernel driver used by the POORTRY virus was signed using keys that belonged to legal Windows Hardware Developer Programme accounts but were stolen.
The UNC3944 hacker collective, also known as 0ktapus and Scattered Spider, utilized this rogue driver to disable security software that was operating on a Windows device in order to avoid discovery.
Although security software is often shielded from termination or manipulation, because Windows kernel drivers operate with the highest operating system privileges, they have the ability to kill practically any process.
The Microsoft-signed POORTRY driver was used by the ransomware attackers, according to Trend Micro, although its detection rates were high as a result of the attention it received after the code-signing keys were withdrawn.