Poortry/BurntCigar, first found by Mandiant, is a malicious kernel driver used together with a loader dubbed Stonestop that makes an attempt to bypasses Microsoft Driver Signature Enforcement. Each the motive force and the loader are closely obfuscated by industrial or open-source packers, corresponding to VMProtect, Themida or ASMGuard.
The driving force tries to disguise itself through the use of the identical data in its properties sheet as a driver for a commercially out there program known as Web Obtain Supervisor, by Tonec Inc.. However, Sophos mentioned, it isn’t this software program package deal’s driver – the attackers merely cloned the knowledge from it.
Ransomware gangs recognized to make use of Poortry embrace Cuba, BlackCat, Medusa, LockBit and RansomHub, Sophos says.
