The Threat CodexAttack tool update impairs Windows computers
#STONESTOP #BurntCigar
https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/
#STONESTOP #BurntCigar
https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/
Sophos X-OpsBut the development of dangerous new features continued apace, and the #BurntCigar driver is now virtually a rootkit, with the ability to interfere and modify calls to low-level #Windows system APIs as a form of #MITM attack, sending some messages into the bin while modifying others and sending incorrect information between applications and the operating system.
After Sophos X-Ops worked with Microsoft to close the loophole that let this criminal software development house get this valuable signature on their malicious code, the #BurntCigar developers switched gears and used leaked or stolen certificates to sign their driver code.
When #EDR killers attack, they are now more aggressive and more harmful than ever. Our latest #research into the latest version of an EDR attack tool named #BurntCigar is now live on @SophosXOps
Andrew π» Brandt πIn the course of doing our research, we studied older variants of #BURNTCIGAR #drivers, and compared them to the new ones we were encountering during the incident response.
We found that these new drivers had been obfuscated with a variety of techniques, specifically that the drivers were packed using a commercial runtime #packer called #VMprotect. The packer makes it more difficult for an analyst to reverse-engineer a #malware sample, but we don't see a lot of drivers that are packed, at all. It was kind of unusual.
In addition, the malware drivers requires the threat actor to run an executable called a loader, which simply does the mechanical work of creating Services entries in the Windows Registry, and moving the driver into the %temp% directory. The loader isn't packed.
This morning, my colleague Andreas and I were able to release the first of what I expect will be a series of blog posts about a supply chain compromise of #Microsoft's code-signing infrastructure.
The @SophosXOps team discovered in October that a ransomware threat actor was deploying a #malware package that was discovered by Mandiant earlier this year. They named the package #BURNTCIGAR - it's a signed Windows #driver that is purpose-built to kill endpoint security and #EDR tools.
Previous BURNTCIGAR drivers had been signed with shady or known-compromised code signing certificates. These new ones were signed by Microsoft's Windows Hardware Compatibility Publisher - pretty much a gold standard for authoritative cryptographic signing of code that can run at kernel-mode under Windows.
Yeah, it's...kinda bad. We informed Microsoft, and they released an advisory this morning about it. We're now free from our NDA to publish our research.
https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/