Tool used by ransomware groups now seen killing EDR: Report
- by nlqip
Poortry/BurntCigar, first discovered by Mandiant, is a malicious kernel driver used in conjunction with a loader dubbed Stonestop that attempts to bypasses Microsoft Driver Signature Enforcement. Both the driver and the loader are heavily obfuscated by commercial or open-source packers, such as VMProtect, Themida or ASMGuard.
The driver tries to disguise itself by using the same information in its properties sheet as a driver for a commercially available program called Internet Download Manager, by Tonec Inc.. But, Sophos said, it isn’t this software package’s driver – the attackers merely cloned the information from it.
Ransomware gangs known to use Poortry include Cuba, BlackCat, Medusa, LockBit and RansomHub, Sophos says.
Source link
lol
Poortry/BurntCigar, first discovered by Mandiant, is a malicious kernel driver used in conjunction with a loader dubbed Stonestop that attempts to bypasses Microsoft Driver Signature Enforcement. Both the driver and the loader are heavily obfuscated by commercial or open-source packers, such as VMProtect, Themida or ASMGuard. The driver tries to disguise itself by using the…
Recent Posts
- Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms
- How to reduce cyber risk during employee onboarding
- Germany seizes 47 crypto exchanges used by ransomware gangs
- Police dismantles phone unlocking ring linked to 483,000 victims
- Ahead Adds Former Google Cloud VP To Board To ‘Fuel’ AI, Hybrid Cloud