virus logo Virus

W64/BURNTCIGAR.BS!tr.rkit

description-logoAnalysis

W64/BURNTCIGAR.BS!tr.rkit is classified as a rootkit trojan.
A rootkit trojan is a type of malware that has privileged access on the computer. It is usually a device driver program that is designed to hide the existence of other malware on the infected system.
Below are some of its observed characteristics/behaviours:

  • This malware is associated with the Microsoft Signed driver outbreak. The malware is packed with a commercial packer and was signed with a legitimate signing certificate allowing it to bypass security checks that would have otherwise prevented the execution of the file on the operating system. The malware may be used in conjunction with a malicious loader to disable security tools on the victims machines which would then allow attackers to deploy other malware.

  • The malware has been associated with the following third party article/advisory. 
    • https://msrc.microsoft.com/update-guide/vulnerability/ADV220005

  • Following are some of the exact file hashes associated with this detection:
    • Md5: 6a066d2be83cf83f343d0550b0b8f206
      Sha256: 0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99
    • Md5: f9844524fb0009e5b784c21c7bad4220
      Sha256: 7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6
    • Md5: 04a88f5974caa621cee18f34300fc08a
      Sha256: 9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c
    • Md5: 467e60b9a0d1153057e0cfd0e721e198
      Sha256: 49fd979d1bf545180a8e1d2d492e1e4d6494916ebf0b4172eeb3425b0d267267
    • Md5: c0debd2cfb62fc2c56bfd4104b1ff760
      Sha256: 9a72a0420392114193b32cfca356070df6ca21bf92244526854218c987df3185
    • Md5: 85063d67203b91bef9772446a1723021
      Sha256: d449ed118479e9760a029ad69e71f9a5626a5a65443d6fde2e96f7f3dcca0178

description-logoOutbreak Alert

Microsoft disclosed on Tuesday (Dec 13, 2022) that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity and Microsoft Threat Intelligence Center (MSTIC) ongoing analysis indicates that the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware.

View the full Outbreak Alert Report

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-08-01 91.05634
2023-04-03 91.02022
2023-02-22 91.00807
2023-02-16 91.00640
2023-02-14 91.00582
2023-01-30 91.00125
2023-01-16 90.09703
2023-01-14 90.09644
2023-01-03 90.09314
2022-12-31 90.09240
ID 10116089
Released Dec 16, 2022
Description
Updated		 Dec 16, 2022
Outbreak Alert BURNTCIGAR Malware
Aliases Mal/Rootkit-VF,Trojan.NtRootKit.20371,Rootkit.Win64.MalDrv.j,Win64/Rootkit.Agent.BS.gen trojan
Platform Profile Win64 file format / PE 64 bitW95
Profile Type Trojan Rootkit (tr.rkit)