W64/BURNTCIGAR.BS!tr

description-logoAnalysis

W64/BURNTCIGAR.BS!tr is a generic detection for a trojan.
This malware has been associated with the following third party article/advisory.

https://msrc.microsoft.com/update-guide/vulnerability/ADV220005
The correlation has been established due to a database near/exact match on one of the sample/IOC/file hash indicated in the mentioned resource.
Below are some of its observed characteristics/behaviours:
  • This malware is associated with the Microsoft Signed driver outbreak. The malware is packed with a commercial packer and was signed with a legitimate signing certificate allowing it to bypass security checks that would have otherwise prevented the execution of the file on the operating system. The malware may be used in conjunction with a malicious loader to disable security tools on the victims machines which would then allow attackers to deploy other malware.

  • The malware has been observed with codes pertaining to download capabilities and also indicated the possible compromised organizations that had the compromised Signed Drivers.

  • The following are some illustrations related to the malware during our quick analysis:

    • Figure 1: Malware Body.


  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • Md5: 63960DBC7D63767EDB6E1E2DC6F0707B
      Sha256: cce24ebdd344c8184dbaa0a0c4a65c7d952a11f6608fe23d562a4d1178915eac
    • Md5: 6E3516775E7E009777DCDB7A314F1482
      Sha256: 198fc46b59ce8956c161648f9d3b31d4ac323417cb79bf77a094c0824f50dad1
    • Md5: DDEE86B84DCB72835B57B1D049E9E0CD
      Sha256: fd765103cd948bd0099cc05782348f2b425441a87a7f38f1bfcdb185aecca84d
    • Md5: E2C146A2522E4F40E5036C3FE12C3560
      Sha256: 2303b69f630d35d7eae22d30c5efeb76d6d89e80c7be9365b90db44e5ce5e94a
    • Md5: EA5F6AB5666193F805D13A49009F0699
      Sha256: eb486d6fbc6886e3370386438c52111283524cd95abd629adcd55ec7c9adb706


description-logoOutbreak Alert

Microsoft disclosed on Tuesday (Dec 13, 2022) that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity and Microsoft Threat Intelligence Center (MSTIC) ongoing analysis indicates that the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware.

View the full Outbreak Alert Report

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2023-07-25 91.05424
2023-01-03 90.09317
2022-12-19 90.08866
2022-12-16 90.08790
2022-12-15 90.08761