Ransomware Group Added a New EDR Killer Tool to their arsenal

A ransomware group known as RansomHub has been found deploying a new tool designed to disable endpoint detection and response (EDR) systems.

This tool, EDRKillShifter, represents a significant advancement in the tactics used by cybercriminals to bypass security measures and execute ransomware attacks.

Although a recent attack using this tool was thwarted, the discovery underscores the persistent threat of ransomware groups and their continuous adaptation to security technologies.

The Rise of EDRKillShifter

Sophos analysts uncovered the EDRKillShifter tool during an attempted ransomware attack in May 2023. While the attack was unsuccessful, the postmortem analysis revealed the presence of this new utility aimed at terminating endpoint protection software.

The tool’s emergence is part of a broader trend observed since 2022, where malware designed to disable EDR systems has become increasingly sophisticated.

This trend aligns with the growing adoption of EDR technologies by organizations seeking to protect their endpoints from cyber threats.

How EDRKillShifter Works

EDRKillShifter functions as a “loader” executable, serving as a delivery mechanism for a legitimate driver vulnerable to abuse.

This approach, known as “bring your vulnerable driver” (BYOVD), allows attackers to leverage existing vulnerabilities in legitimate software to gain the necessary privileges to disable EDR tools.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

The execution process involves three steps:

1. Execution with Password: The attacker runs EDRKillShifter with a command line and a specific password string. This password is crucial for decrypting an embedded resource named BIN and executing it in memory.
2. Unpacking and Execution: The BIN code unpacks and executes the final payload in the Go programming language. This payload exploits various vulnerable drivers to gain the privileges needed to unhook EDR protection.
3. Dynamic Loading: The final payload is dynamically loaded into memory and executed, effectively disabling the EDR system.

Technical Analysis of EDRKillShifter

Peeling Off the First Layer

Initial analysis of EDRKillShifter reveals that all samples share similar version data, with the original filename being Loader.exe.

The binary’s language property is Russian, suggesting that the malware author compiled it on a computer with Russian localization settings. Execution requires a unique 64-character password; without it, the tool will not run.

Loading the Final EDR Killer

The second stage of the tool is obfuscated using self-modifying code techniques. This makes analysis challenging, as the actual instructions are only revealed during execution.

The final decoded layer’s sole purpose is to load and execute the final payload in memory.

Analysis of the Ultimate Payload

The ultimate payloads analyzed were all written in Go and heavily obfuscated, likely using tools like obfuscate.

This obfuscation hinders reverse engineering efforts, making it difficult for security researchers to analyze the malware.

However, tools like GoReSym have been used to extract valuable information from these obfuscated samples.

Similarities and Variants

All analyzed EDR killer variants embed a vulnerable driver, exploiting it to acquire the necessary privileges to disable EDR systems.

The variants differ mainly in the specific vulnerable driver they exploit. These drivers are often legitimate but have known vulnerabilities that are exploited using publicly available proof-of-concept code.

Mapping EDRKillShifter in the Threat Landscape

The EDRKillShifter tool appears to be part of a larger ecosystem of malware tools sold on the dark net.

The loader’s primary function is to deploy the final BYOVD payload, suggesting that it might have been acquired separately from the payloads it delivers.

This modular approach allows different threat actors to use the same loader with various payloads, complicating attribution efforts.

The discovery of EDRKillShifter highlights the ongoing arms race between cybercriminals and cybersecurity professionals.

As organizations continue to adopt advanced security measures like EDR systems, threat actors are developing increasingly sophisticated tools to bypass these defenses.

The cybersecurity community must remain vigilant and adaptive, employing a combination of technological solutions and threat intelligence to stay ahead of these evolving threats.

The failed attack by RansomHub serves as a reminder of the importance of robust security practices and the need for continuous monitoring and analysis of emerging threats.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces