- Sophos X-Ops Rapid Response discovered a pair of files left behind on some compromised machines.
- One of those files is a cryptographically signed Windows driver and they work together to terminate processes or services used by endpoint security product vendors.
- The team reported the incident to Microsoft privately and an advisory was published about the vulnerability shortly after.
Cybersecurity researchers at Sophos revealed an unusual method used by a notorious ransomware group, named Cuba. The attackers are exploiting vulnerabilities in Microsoft-approved hardware drivers to launch ransomware attacks. The team noticed the incident while investigating suspicious activity on a customer network.
Signed driver malware
Sophos X-Ops Rapid Response (RR) discovered a pair of files left behind on some compromised machines. These two files can terminate processes or services used by a variety of endpoint security product vendors when they work together. The team removed the attackers from the system to prevent further damage. But it is impossible to know which ransomware the attackers intended to deploy.
Considering the techniques and the files left behind, the team had a clue. The analysis showed that the executable files are a cryptographically signed Windows driver and an executable “loader” application designed to install the driver. The files were used in tandem in a failed attempt to disable endpoint security tools. The team stated that they have strong evidence showing that it was a variant of malware, which is named BURNTCIGAR by Mandiant.
The company privately reported the issue to Microsoft and the tech giant published an advisory about it. Sophos found several similarities between the latest incident and earlier samples referenced in the PAN and Mandiant reports, as well as additional samples found on VirusTotal:
- The naming scheme of the drivers as well as the installed symbolic link names are the same or similar. In PAN’s report, the driver is called ApcHelper.sys. The driver used in the incident is called KApcHelper.sys. The team has not found any potential false positives through telemetry review so far.
- The incident and the incident from PAN’s report are both linked to Cuba ransomware, with high confidence.
- While not all samples have identical PE file metadata, the team noticed that the Microsoft-signed driver from the incident the team analyzed shares the same PE Header timestamp (2022:06:02 10:09:08+00:00) as the drivers signed by Zhuhai Liancheng Technology Co., Ltd. (ZLT) and the Beijing JHI driver.