In the course of doing our research, we studied older variants of #BURNTCIGAR #drivers, and compared them to the new ones we were encountering during the incident response.

We found that these new drivers had been obfuscated with a variety of techniques, specifically that the drivers were packed using a commercial runtime #packer called #VMprotect. The packer makes it more difficult for an analyst to reverse-engineer a #malware sample, but we don't see a lot of drivers that are packed, at all. It was kind of unusual.

In addition, the malware drivers requires the threat actor to run an executable called a loader, which simply does the mechanical work of creating Services entries in the Windows Registry, and moving the driver into the %temp% directory. The loader isn't packed.

This morning, my colleague Andreas and I were able to release the first of what I expect will be a series of blog posts about a supply chain compromise of #Microsoft's code-signing infrastructure.

The @SophosXOps team discovered in October that a ransomware threat actor was deploying a #malware package that was discovered by Mandiant earlier this year. They named the package #BURNTCIGAR - it's a signed Windows #driver that is purpose-built to kill endpoint security and #EDR tools.

Previous BURNTCIGAR drivers had been signed with shady or known-compromised code signing certificates. These new ones were signed by Microsoft's Windows Hardware Compatibility Publisher - pretty much a gold standard for authoritative cryptographic signing of code that can run at kernel-mode under Windows.

Yeah, it's...kinda bad. We informed Microsoft, and they released an advisory this morning about it. We're now free from our NDA to publish our research.

https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/