A ransomware group known as RansomHub has been found deploying a new tool designed to disable endpoint detection and response (EDR) systems.
This tool, EDRKillShifter, represents a significant advancement in the tactics used by cybercriminals to bypass security measures and execute ransomware attacks.
Although a recent attack using this tool was thwarted, the discovery underscores the persistent threat of ransomware groups and their continuous adaptation to security technologies.
Sophos analysts uncovered the EDRKillShifter tool during an attempted ransomware attack in May 2023. While the attack was unsuccessful, the postmortem analysis revealed the presence of this new utility aimed at terminating endpoint protection software.
The tool’s emergence is part of a broader trend observed since 2022, where malware designed to disable EDR systems has become increasingly sophisticated.
This trend aligns with the growing adoption of EDR technologies by organizations seeking to protect their endpoints from cyber threats.
EDRKillShifter functions as a “loader” executable, serving as a delivery mechanism for a legitimate driver vulnerable to abuse.
This approach, known as “bring your vulnerable driver” (BYOVD), allows attackers to leverage existing vulnerabilities in legitimate software to gain the necessary privileges to disable EDR tools.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
The execution process involves three steps:
Peeling Off the First Layer
Initial analysis of EDRKillShifter reveals that all samples share similar version data, with the original filename being Loader.exe.
The binary’s language property is Russian, suggesting that the malware author compiled it on a computer with Russian localization settings. Execution requires a unique 64-character password; without it, the tool will not run.
Loading the Final EDR Killer
The second stage of the tool is obfuscated using self-modifying code techniques. This makes analysis challenging, as the actual instructions are only revealed during execution.
The final decoded layer’s sole purpose is to load and execute the final payload in memory.
The ultimate payloads analyzed were all written in Go and heavily obfuscated, likely using tools like obfuscate.
This obfuscation hinders reverse engineering efforts, making it difficult for security researchers to analyze the malware.
However, tools like GoReSym have been used to extract valuable information from these obfuscated samples.
Similarities and Variants
All analyzed EDR killer variants embed a vulnerable driver, exploiting it to acquire the necessary privileges to disable EDR systems.
The variants differ mainly in the specific vulnerable driver they exploit. These drivers are often legitimate but have known vulnerabilities that are exploited using publicly available proof-of-concept code.
The EDRKillShifter tool appears to be part of a larger ecosystem of malware tools sold on the dark net.
The loader’s primary function is to deploy the final BYOVD payload, suggesting that it might have been acquired separately from the payloads it delivers.
This modular approach allows different threat actors to use the same loader with various payloads, complicating attribution efforts.
The discovery of EDRKillShifter highlights the ongoing arms race between cybercriminals and cybersecurity professionals.
As organizations continue to adopt advanced security measures like EDR systems, threat actors are developing increasingly sophisticated tools to bypass these defenses.
The cybersecurity community must remain vigilant and adaptive, employing a combination of technological solutions and threat intelligence to stay ahead of these evolving threats.
The failed attack by RansomHub serves as a reminder of the importance of robust security practices and the need for continuous monitoring and analysis of emerging threats.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…