W64/BURNTCIGAR.BS!tr.rkit
Analysis
W64/BURNTCIGAR.BS!tr.rkit is classified as a rootkit trojan.
A rootkit trojan is a type of malware that has privileged access on the computer. It is usually a device driver program
that is designed to hide the existence of other malware on the infected system.
Below are some of its observed characteristics/behaviours:
- This malware is associated with the Microsoft Signed driver outbreak. The malware is packed with a commercial packer and was signed with a legitimate signing certificate allowing it to bypass security checks that would have otherwise prevented the execution of the file on the operating system. The malware may be used in conjunction with a malicious loader to disable security tools on the victims machines which would then allow attackers to deploy other malware.
- The malware has been associated with the following third party article/advisory.
https://msrc.microsoft.com/update-guide/vulnerability/ADV220005
- Md5: 6a066d2be83cf83f343d0550b0b8f206
Sha256: 0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99 - Md5: f9844524fb0009e5b784c21c7bad4220
Sha256: 7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6 - Md5: 04a88f5974caa621cee18f34300fc08a
Sha256: 9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c - Md5: 467e60b9a0d1153057e0cfd0e721e198
Sha256: 49fd979d1bf545180a8e1d2d492e1e4d6494916ebf0b4172eeb3425b0d267267 - Md5: c0debd2cfb62fc2c56bfd4104b1ff760
Sha256: 9a72a0420392114193b32cfca356070df6ca21bf92244526854218c987df3185 - Md5: 85063d67203b91bef9772446a1723021
Sha256: d449ed118479e9760a029ad69e71f9a5626a5a65443d6fde2e96f7f3dcca0178
Outbreak Alert
Microsoft disclosed on Tuesday (Dec 13, 2022) that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity and Microsoft Threat Intelligence Center (MSTIC) ongoing analysis indicates that the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |