PoorTry (Backdoor) – Malware

Overview

The cybersecurity landscape is constantly evolving, with new and sophisticated malware emerging regularly. One such recent threat is Poortry, a malware variant linked to advanced persistent threat (APT) groups, particularly Scattered Spider. This malware has been identified as a significant player in the growing wave of attacks targeting both public and private sector organizations. Although the exact origin of Poortry is still under investigation, its technical attributes and its usage in high-profile breaches paint a disturbing picture of the future of cybercrime.

Poortry is notable for its use of a Microsoft-signed driver as part of its evasion tactics, a technique that allows it to bypass security measures designed to detect malicious software. This use of a legitimate certificate to sign malicious drivers is a hallmark of the increasingly sophisticated nature of modern cyberattacks, as it enables the malware to operate undetected by traditional security tools. Its ability to leverage trusted software in its attack chain makes it particularly dangerous and hard to detect, giving cybercriminals an edge in their attempts to gain unauthorized access to sensitive systems.

Targets

Arts, Entertainment, and Recreation

How they operate

One of the key features of Poortry is its use of a Microsoft-signed driver. This legitimate driver is exploited by the malware for defense evasion, making detection much more difficult for traditional security measures. The Microsoft-signed driver serves as a “trusted” component within the operating system, which allows Poortry to bypass security mechanisms that typically flag unsigned or suspicious software. By using a valid certificate, Poortry can operate undetected in the background while performing its malicious activities, such as establishing persistence or executing further payloads.

In addition to the signed driver, Poortry employs techniques that involve leveraging remote monitoring and management (RMM) tools. These commercial tools, which are often used for legitimate system administration purposes, are exploited by the malware to gain control over the compromised systems. Tools like Fleetdeck.io and Level.io have been observed in attacks utilizing Poortry. These RMM tools provide threat actors with an easy entry point into the network, allowing them to monitor, manage, and manipulate the infected systems remotely, often without triggering suspicion. The use of such tools enables attackers to maintain a low profile while executing their attacks over an extended period.

Poortry’s attack vector often begins with social engineering techniques, such as SMS phishing or spear-phishing emails, aimed at tricking victims into revealing their credentials or downloading malicious attachments. Once the malware is introduced into the system, Poortry takes advantage of vulnerabilities in the victim’s network or software to escalate privileges, ensuring that it can persist within the system without being easily removed. The malware’s operators then use multi-factor authentication (MFA) fatigue attacks to overwhelm targets, attempting to gain unauthorized access to additional systems or networks by bombarding the victim with MFA prompts until they accidentally or unknowingly grant access.

Poortry also demonstrates post-exploitation behavior designed to establish long-term control. It can disable security software, delete logs, and execute additional malicious payloads to further infiltrate the network. In some cases, Poortry is used in tandem with ransomware attacks, contributing to a broader campaign of data exfiltration and extortion, often seen in BlackCat ransomware attacks.

References:

• Tracking Adversaries: Scattered Spider, the BlackCat affiliate