Ransomware operations have upgraded that malicious kernel-mode Windows driver PoorTry from an endpoint detection and response system deactivator to an EDR killer, reports BleepingComputer.
Despite being initially developed to disable security systems, PoorTry — also known as BurntCigar — has since been updated to allow the removal of security software's crucial dynamic link libraries and executable files in a RansomHub attack last month, according to an analysis from Sophos. Malicious PoorTry operations commence with the discovery of installation directories and critical directory files followed by the delivery of a request seeking security-related process termination and file deletion to its kernel-mode component, reported Sophos researchers, who noted the tool's support for file name- or type-based deletion. Further analysis revealed that the new PoorTry variants not only leveraged signature timestamp manipulation conducted to evade Windows security inspections and enable utilization of other software metadata but also used various certificates for greater odds of compromise.
