Saturday, December 21, 2024
Homecyber securityRansomware Group Added a New EDR Killer Tool to their arsenal

Ransomware Group Added a New EDR Killer Tool to their arsenal

Published on

SIEM as a Service

A ransomware group known as RansomHub has been found deploying a new tool designed to disable endpoint detection and response (EDR) systems.

This tool, EDRKillShifter, represents a significant advancement in the tactics used by cybercriminals to bypass security measures and execute ransomware attacks.

Although a recent attack using this tool was thwarted, the discovery underscores the persistent threat of ransomware groups and their continuous adaptation to security technologies.

- Advertisement - SIEM as a Service

The Rise of EDRKillShifter

Sophos analysts uncovered the EDRKillShifter tool during an attempted ransomware attack in May 2023. While the attack was unsuccessful, the postmortem analysis revealed the presence of this new utility aimed at terminating endpoint protection software.

The tool’s emergence is part of a broader trend observed since 2022, where malware designed to disable EDR systems has become increasingly sophisticated.

This trend aligns with the growing adoption of EDR technologies by organizations seeking to protect their endpoints from cyber threats.

How EDRKillShifter Works

EDRKillShifter functions as a “loader” executable, serving as a delivery mechanism for a legitimate driver vulnerable to abuse.

This approach, known as “bring your vulnerable driver” (BYOVD), allows attackers to leverage existing vulnerabilities in legitimate software to gain the necessary privileges to disable EDR tools.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

The execution process involves three steps:

  1. Execution with Password: The attacker runs EDRKillShifter with a command line and a specific password string. This password is crucial for decrypting an embedded resource named BIN and executing it in memory.
  2. Unpacking and Execution: The BIN code unpacks and executes the final payload in the Go programming language. This payload exploits various vulnerable drivers to gain the privileges needed to unhook EDR protection.
  3. Dynamic Loading: The final payload is dynamically loaded into memory and executed, effectively disabling the EDR system.

Technical Analysis of EDRKillShifter

Peeling Off the First Layer

Initial analysis of EDRKillShifter reveals that all samples share similar version data, with the original filename being Loader.exe.

The binary’s language property is Russian, suggesting that the malware author compiled it on a computer with Russian localization settings. Execution requires a unique 64-character password; without it, the tool will not run.

Version info of EDRKillShifter as shown in CFF Explorer
Version info of EDRKillShifter as shown in CFF Explorer

Loading the Final EDR Killer

The second stage of the tool is obfuscated using self-modifying code techniques. This makes analysis challenging, as the actual instructions are only revealed during execution.

The final decoded layer’s sole purpose is to load and execute the final payload in memory.

The EDRKillShifter uses self-modifying code to change every subsequent instruction
The EDRKillShifter uses self-modifying code to change every subsequent instruction

Analysis of the Ultimate Payload

The ultimate payloads analyzed were all written in Go and heavily obfuscated, likely using tools like obfuscate.

This obfuscation hinders reverse engineering efforts, making it difficult for security researchers to analyze the malware.

However, tools like GoReSym have been used to extract valuable information from these obfuscated samples.

Similarities and Variants

All analyzed EDR killer variants embed a vulnerable driver, exploiting it to acquire the necessary privileges to disable EDR systems.

The variants differ mainly in the specific vulnerable driver they exploit. These drivers are often legitimate but have known vulnerabilities that are exploited using publicly available proof-of-concept code.

A Process Monitor log shows the malware dropping the abusable driver into the TEMP folder
A Process Monitor log shows the malware dropping the abusable driver into the TEMP folder

Mapping EDRKillShifter in the Threat Landscape

The EDRKillShifter tool appears to be part of a larger ecosystem of malware tools sold on the dark net.

The loader’s primary function is to deploy the final BYOVD payload, suggesting that it might have been acquired separately from the payloads it delivers.

This modular approach allows different threat actors to use the same loader with various payloads, complicating attribution efforts.

Example of an obfuscator tool advertisement for sale on a dark net criminal forum
Example of an obfuscator tool advertisement for sale on a dark net criminal forum

The discovery of EDRKillShifter highlights the ongoing arms race between cybercriminals and cybersecurity professionals.

As organizations continue to adopt advanced security measures like EDR systems, threat actors are developing increasingly sophisticated tools to bypass these defenses.

The cybersecurity community must remain vigilant and adaptive, employing a combination of technological solutions and threat intelligence to stay ahead of these evolving threats.

The failed attack by RansomHub serves as a reminder of the importance of robust security practices and the need for continuous monitoring and analysis of emerging threats.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...

Windows 11 Privilege Escalation Vulnerability Lets Attackers Execute Code to Gain Access

Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...