This article delves into the evolution of Poortry/BurntCigar, its newly discovered capabilities, and the implications for cybersecurity defenses.
Introduction
In the ever-evolving landscape of cybersecurity, ransomware groups are continuously developing more sophisticated tools to bypass security measures and infiltrate systems. One such tool that has recently garnered attention is the Poortry/BurntCigar toolkit. Initially recognized for its ability to sabotage endpoint protection software, this toolkit has evolved into a more dangerous threat, now capable of completely wiping out Endpoint Detection and Response (EDR) software from victim systems. This article delves into the evolution of Poortry/BurntCigar, its newly discovered capabilities, and the implications for cybersecurity defenses.
The Emergence of Poortry/BurntCigar
Early Detection and Initial Capabilities
Poortry, also known as BurntCigar, was first discovered by cybersecurity firm Mandiant. This toolkit is a malicious kernel driver used in combination with a loader known as Stonestop. The primary function of this driver and loader duo was to bypass Microsoft Driver Signature Enforcement, a security feature that ensures only drivers with valid digital signatures can be loaded into the Windows kernel. By bypassing this enforcement, Poortry/BurntCigar allowed ransomware operators to disable or terminate endpoint protection processes, paving the way for ransomware deployment.
Evolution into a More Potent Threat
While Poortry initially focused on terminating processes associated with endpoint protection software, recent developments have made it far more dangerous. In July 2023, researchers at Sophos observed a new capability in the Poortry toolkit during an investigation of a ransomware attack. Instead of merely terminating EDR processes, the toolset was used to completely delete EDR components from the victim’s IT system. This marks a significant escalation in the toolkit’s capabilities, making it a more formidable tool in the hands of ransomware gangs.
Technical Analysis of Poortry/BurntCigar
How Poortry/BurntCigar Operates
The Poortry toolkit operates by leveraging a heavily obfuscated kernel driver, which is often disguised to resemble legitimate software components. For instance, the driver may use the same information in its properties sheet as a driver for a widely used program, such as Internet Download Manager by Tonec Inc. This tactic helps the malicious driver evade detection by security software, as it appears to be a legitimate component of trusted software.
To further complicate detection, both the Poortry driver and the Stonestop loader are obfuscated using commercial or open-source packers like VMProtect, Themida, or ASMGuard. These tools make it challenging for security researchers to reverse-engineer the malicious code and develop effective countermeasures.
Signature Forging and Certificate Abuse
One of the most concerning aspects of Poortry/BurntCigar’s evolution is its use of signature timestamp forging and valid, but leaked, non-Microsoft digital certificates. According to Sophos, the toolkit’s developers have consistently swapped the signing certificates used for their executables, utilizing at least nine different certificates in the past 17 months. This tactic allows the toolkit to bypass Driver Signature Verification protections, a critical defense mechanism in modern operating systems.
For example, during an attack in August 2023, attackers initially gained access to an organization’s network through a remote access tool named SplashTop. Once inside, they deployed Poortry and Stonestop. Although the initial Poortry driver was signed with a certificate from a known stolen source, “bopsoft,” and was blocked by the target’s defenses, the attackers quickly loaded a new driver signed by “Evangel Technology (HK) Limited.” This swift switching of certificates demonstrates the attackers’ ability to adapt and evade security measures in real time.
The Growing Threat of Poortry/BurntCigar
A Swiss Army Knife of Malicious Capabilities
What was once a relatively simple tool for disabling endpoint protection software has now evolved into a Swiss Army Knife of malicious capabilities. In addition to its EDR-killing power, Poortry/BurntCigar has developed features that resemble those of a rootkit, giving it finite control over various API calls used to manage low-level operating system functions. This evolution allows the toolkit to perform a broader range of malicious activities, making it a versatile tool for attackers.
The Role of Ransomware Gangs
Several ransomware groups, including Cuba, BlackCat, Medusa, LockBit, and RansomHub, have been known to use the Poortry/BurntCigar toolkit in their attacks. The adoption of this tool by such a diverse group of threat actors highlights its effectiveness and versatility in compromising targets. By disabling EDR software, these groups can deploy ransomware with minimal resistance, increasing the likelihood of a successful attack.
Implications for Cybersecurity
The Challenge for Defenders
The continuous evolution of Poortry/BurntCigar presents a significant challenge for cybersecurity defenders. The toolkit’s ability to completely wipe EDR software from a system means that traditional endpoint protection measures may no longer be sufficient. Organizations must adopt more advanced detection and response strategies that can identify and mitigate threats even when endpoint protection software has been compromised.
The Need for Adaptive Security Measures
To counter the threat posed by Poortry/BurntCigar, organizations need to implement adaptive security measures that can respond to the dynamic nature of modern cyber threats. This includes deploying advanced threat detection systems that can identify suspicious activities, even when they are executed by seemingly legitimate software components. Additionally, organizations should regularly update their security protocols to address the latest tactics used by threat actors, such as certificate swapping and signature forging.
The Importance of Threat Intelligence
Staying informed about the latest developments in cyber threats is crucial for maintaining effective defenses. Security teams should leverage threat intelligence platforms to keep up with the evolving tactics, techniques, and procedures (TTPs) used by ransomware groups. By understanding how tools like Poortry/BurntCigar operate, defenders can develop more targeted and effective countermeasures to protect their systems.
Conclusion
The evolution of the Poortry/BurntCigar toolkit from a simple tool for disabling endpoint protection software to a sophisticated, rootkit-like threat underscores the rapidly changing nature of cyber threats. As ransomware groups continue to adopt and refine these tools, it is imperative for organizations to strengthen their defenses and stay ahead of the curve. By implementing adaptive security measures, leveraging threat intelligence, and staying vigilant, organizations can better protect themselves against the growing threat posed by tools like Poortry/BurntCigar.
COMMENTS