The ALPHV ransomware group (aka BlackCat) was observed employing signed malicious Windows kernel drivers to evade detection by security software during attacks.
The driver seen by Trend Micro is an improved version of the malware known as ‘POORTRY’.
The POORTRY malware is a Windows kernel driver signed using stolen keys belonging to legitimate accounts in Microsoft’s Windows Hardware Developer Program. While security software is usually protected from being terminated or tampered with, as Windows kernel drivers run with the highest privileges in the operating system, they can be used to terminate almost any process.
Trend Micro says the ransomware actors attempted to use the Microsoft-signed POORTRY driver, but its detection rates were high following the publicity it got and after the code-signing keys were revoked.
For more information take a look at Trend Micro’s report.