Tool used by ransomware groups now seen killing EDR: Report
- by nlqip
Poortry/BurntCigar, first discovered by Mandiant, is a malicious kernel driver used in conjunction with a loader dubbed Stonestop that attempts to bypasses Microsoft Driver Signature Enforcement. Both the driver and the loader are heavily obfuscated by commercial or open-source packers, such as VMProtect, Themida or ASMGuard.
The driver tries to disguise itself by using the same information in its properties sheet as a driver for a commercially available program called Internet Download Manager, by Tonec Inc.. But, Sophos said, it isn’t this software package’s driver – the attackers merely cloned the information from it.
Ransomware gangs known to use Poortry include Cuba, BlackCat, Medusa, LockBit and RansomHub, Sophos says.
Source link
lol
Poortry/BurntCigar, first discovered by Mandiant, is a malicious kernel driver used in conjunction with a loader dubbed Stonestop that attempts to bypasses Microsoft Driver Signature Enforcement. Both the driver and the loader are heavily obfuscated by commercial or open-source packers, such as VMProtect, Themida or ASMGuard. The driver tries to disguise itself by using the…