Wednesday, November 20, 2024
Homecyber securityRansomware Group Added a New EDR Killer Tool to their arsenal

Ransomware Group Added a New EDR Killer Tool to their arsenal

Published on

A ransomware group known as RansomHub has been found deploying a new tool designed to disable endpoint detection and response (EDR) systems.

This tool, EDRKillShifter, represents a significant advancement in the tactics used by cybercriminals to bypass security measures and execute ransomware attacks.

Although a recent attack using this tool was thwarted, the discovery underscores the persistent threat of ransomware groups and their continuous adaptation to security technologies.

- Advertisement - SIEM as a Service

The Rise of EDRKillShifter

Sophos analysts uncovered the EDRKillShifter tool during an attempted ransomware attack in May 2023. While the attack was unsuccessful, the postmortem analysis revealed the presence of this new utility aimed at terminating endpoint protection software.

The tool’s emergence is part of a broader trend observed since 2022, where malware designed to disable EDR systems has become increasingly sophisticated.

This trend aligns with the growing adoption of EDR technologies by organizations seeking to protect their endpoints from cyber threats.

How EDRKillShifter Works

EDRKillShifter functions as a “loader” executable, serving as a delivery mechanism for a legitimate driver vulnerable to abuse.

This approach, known as “bring your vulnerable driver” (BYOVD), allows attackers to leverage existing vulnerabilities in legitimate software to gain the necessary privileges to disable EDR tools.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

The execution process involves three steps:

  1. Execution with Password: The attacker runs EDRKillShifter with a command line and a specific password string. This password is crucial for decrypting an embedded resource named BIN and executing it in memory.
  2. Unpacking and Execution: The BIN code unpacks and executes the final payload in the Go programming language. This payload exploits various vulnerable drivers to gain the privileges needed to unhook EDR protection.
  3. Dynamic Loading: The final payload is dynamically loaded into memory and executed, effectively disabling the EDR system.

Technical Analysis of EDRKillShifter

Peeling Off the First Layer

Initial analysis of EDRKillShifter reveals that all samples share similar version data, with the original filename being Loader.exe.

The binary’s language property is Russian, suggesting that the malware author compiled it on a computer with Russian localization settings. Execution requires a unique 64-character password; without it, the tool will not run.

Version info of EDRKillShifter as shown in CFF Explorer
Version info of EDRKillShifter as shown in CFF Explorer

Loading the Final EDR Killer

The second stage of the tool is obfuscated using self-modifying code techniques. This makes analysis challenging, as the actual instructions are only revealed during execution.

The final decoded layer’s sole purpose is to load and execute the final payload in memory.

The EDRKillShifter uses self-modifying code to change every subsequent instruction
The EDRKillShifter uses self-modifying code to change every subsequent instruction

Analysis of the Ultimate Payload

The ultimate payloads analyzed were all written in Go and heavily obfuscated, likely using tools like obfuscate.

This obfuscation hinders reverse engineering efforts, making it difficult for security researchers to analyze the malware.

However, tools like GoReSym have been used to extract valuable information from these obfuscated samples.

Similarities and Variants

All analyzed EDR killer variants embed a vulnerable driver, exploiting it to acquire the necessary privileges to disable EDR systems.

The variants differ mainly in the specific vulnerable driver they exploit. These drivers are often legitimate but have known vulnerabilities that are exploited using publicly available proof-of-concept code.

A Process Monitor log shows the malware dropping the abusable driver into the TEMP folder
A Process Monitor log shows the malware dropping the abusable driver into the TEMP folder

Mapping EDRKillShifter in the Threat Landscape

The EDRKillShifter tool appears to be part of a larger ecosystem of malware tools sold on the dark net.

The loader’s primary function is to deploy the final BYOVD payload, suggesting that it might have been acquired separately from the payloads it delivers.

This modular approach allows different threat actors to use the same loader with various payloads, complicating attribution efforts.

Example of an obfuscator tool advertisement for sale on a dark net criminal forum
Example of an obfuscator tool advertisement for sale on a dark net criminal forum

The discovery of EDRKillShifter highlights the ongoing arms race between cybercriminals and cybersecurity professionals.

As organizations continue to adopt advanced security measures like EDR systems, threat actors are developing increasingly sophisticated tools to bypass these defenses.

The cybersecurity community must remain vigilant and adaptive, employing a combination of technological solutions and threat intelligence to stay ahead of these evolving threats.

The failed attack by RansomHub serves as a reminder of the importance of robust security practices and the need for continuous monitoring and analysis of emerging threats.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Microsoft Ignite New 360-Degree Details Attackers Tools & Methods

A significant leap forward in cybersecurity was announced with the introduction of new threat...

Trend Micro Deep Security Vulnerable to Command Injection Attacks

Trend Micro has released a critical update addressing a remote code execution (RCE) vulnerability...

CISA Warns Kemp LoadMaster OS Command Injection Vulnerability Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent security advisory warning organizations...

Phobos Ransomware Admin as Part of International Hacking Operation

The U.S. Department of Justice unsealed criminal charges today against Evgenii Ptitsyn, a 42-year-old Russian...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Microsoft Ignite New 360-Degree Details Attackers Tools & Methods

A significant leap forward in cybersecurity was announced with the introduction of new threat...

Trend Micro Deep Security Vulnerable to Command Injection Attacks

Trend Micro has released a critical update addressing a remote code execution (RCE) vulnerability...

CISA Warns Kemp LoadMaster OS Command Injection Vulnerability Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent security advisory warning organizations...