Ransomware operators known as BlackCat, or ALPHV, were seen using an updated version of a known malware, which allows them to elevate privileges on target endpoints and terminate any antivirus or endpoint security solutions the computer might have running.
The news comes courtesy of Trend Micro’s researchers, who spotted the updated malware.
As per the researchers, the malware is known as “POORTRY”. It was first discovered late last year, when researchers from Microsoft, Mandiant, Sophos, and SentinelOne, all saw POORTRY being used to disable antivirus programs, in preparation from the deployment of ransomware. Back then, it was found that POORTRY was a Windows kernel driver, signed with keys stolen from authentic Microsoft Windows Hardware Developer Program accounts.
Attacking dozens of companies
However, as the code-signing keys were soon revoked, and with the malware getting plenty of press coverage, most antivirus programs started detecting it, prompting the attackers to go for an update. Now, this new version is signed using a stolen, or leaked, cross-signing certificate, the researchers are saying.
The goal is still the same – to elevate privileges on the target endpoint and terminate any processes related to antivirus or cybersecurity programs and systems.
Besides being used to terminate any system processes, the driver can also be used to delete specific file paths, force-copy and force-delete files, copy files, register and unregister processes, and even reboot the system. It’s also worth mentioning that not all of these features work as intended, which lead the researchers to believe that the malware is still under development, or in a testing stage.
The group that was using the original POORTRY malware was identified as UNC3944, also known as 0ktapus, or Scattered Spider. This new version is used by BlackCat (ALPHV). Although it’s hard to be conclusive about it, the researchers do hint that there might be a “loose link” between the two groups.