Poortry/BurntCigar, first found by Mandiant, is a malicious kernel driver used along side a loader dubbed Stonestop that makes an attempt to bypasses Microsoft Driver Signature Enforcement. Each the motive force and the loader are closely obfuscated by industrial or open-source packers, reminiscent of VMProtect, Themida or ASMGuard.
The driving force tries to disguise itself through the use of the identical info in its properties sheet as a driver for a commercially obtainable program known as Web Obtain Supervisor, by Tonec Inc.. However, Sophos stated, it isn’t this software program package deal’s driver – the attackers merely cloned the data from it.
Ransomware gangs identified to make use of Poortry embrace Cuba, BlackCat, Medusa, LockBit and RansomHub, Sophos says.
