Saturday, December 7, 2024
HomeCyber CrimeHackers Using AV/EDR Bypass Tool From Cybercrime Forums To Bypass Endpoints

Hackers Using AV/EDR Bypass Tool From Cybercrime Forums To Bypass Endpoints

Published on

SIEM as a Service

Researchers uncovered two previously unknown endpoints with older Cortex XDR agents that used to test an AV/EDR bypass tool were compromised, granting unauthorized access.

The threat actor utilized a bypass tool, likely purchased from cybercrime forums, to compromise the system.

Subsequent analysis of recovered files and digital footprints revealed the identity of one of the attackers, providing insights into their personal and professional life.

- Advertisement - SIEM as a Service
 High-level chain of events for this attack.
 High-level chain of events for this attack.

The disabler.exe tool, derived from EDRSandBlast source code, targets and removes EDR hooks in user-mode and kernel-mode by leveraging a vulnerable driver, wnbios.sys or WN_64.sys, for privileged access. 

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

The rogue system’s “Z:\freelance” directory contained usernames potentially linked to cybercrime affiliates.

By searching forums like XSS and Exploit, “Marti71” was identified as a likely suspect due to their consistent activity and posts seeking AV/EDR bypass tools.

They found a potential solution advertised by KernelMode on an online forum, with positive feedback from other users. However, the exact nature of the tool and its developer remain unclear.

KernelMode is posting about the sale of an AV/EDR bypass tool.
KernelMode is posting about the sale of an AV/EDR bypass tool.

The threat actor demonstrated a tool capable of bypassing multiple AV/EDR agents, enabling successful Mimikatz execution, which was confirmed by comparing identical tool demonstration recordings found on both the rogue system and the actor’s shared archive.

Analysis of captured files from DESKTOP-J8AOTJS reveals a compressed archive (ContiTraining.rar) containing a torrent file (ContiTraining.torrent) created in 2021, which points to publicly leaked Conti attacker materials, including penetration testing tools and exploit manuals. 

The folder contained sensitive PII, device details, and authentication credentials. It also included various hacking tools, such as AV/EDR bypass tools, Mimikatz, and kernel driver utilities. 

 Text file with payment information.
 Text file with payment information.

Additionally, the folder held materials related to code obfuscation, anti-cheat bypass, and a presentation on compiler obfuscation, suggesting potential malicious intent and advanced technical capabilities.

The threat actor accessed and exfiltrated sensitive financial information, including P-1 forms, from a compromised system, potentially exposing details about companies and individuals involved in transactions within Kazakhstan.

Snippet of the Windows taskbar from one of the demonstration videos.
Snippet of the Windows taskbar from one of the demonstration videos.

The video evidence suggests that threat actors are using virtual machines to bypass AV/EDR tools, potentially targeting Mikrotik routers through WinBox.

The unconventional management console URL and the presence of OBS Studio indicate a sophisticated setup for recording and sharing these attacks.

The attackers used Atera, Cobalt Strike, PsExec, and Rclone, mirroring Conti’s TTPs. The Cobalt Strike watermark links the attack to Conti and Dark Scorpius, but ransomware was not deployed.

The threat actor, Andry, a Kazakhstani employee, was exposed due to an OpSec failure. His LinkedIn and VKontakte profiles and company website revealed his identity and potential connections.

An individual identified as KernelMode, likely a developer of an AV/EDR bypass tool, was linked to rogue system hosting tool demonstrations. However, while this individual was an active system user, their ownership and direct involvement in the attack remain uncertain.

The recent trend of AV/EDR bypass tools continues to evolve as threat actors monetize these tools on underground forums, regularly updating them. This exposes a rogue system, revealing a threat actor’s toolkit and identity. 

According to Unit 42, organizations should enable agent tampering protection and block indicators of compromise to mitigate this issue. 

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...