A ransomware group, RansomHub, has introduced EDRKillShifter, a tool designed to disable EDR systems. This advancement highlights the group’s evolving tactics to bypass security measures and execute attacks. Although a recent attack was stopped, the threat from such groups remains significant.
Sophos analysts discovered the EDRKillShifter tool during a failed ransomware attack in May 2023. Postmortem analysis revealed this utility’s aim to disable endpoint protection software, a trend of increasingly sophisticated malware targeting EDR systems since 2022. This reflects the rise in EDR adoption by organizations to safeguard their endpoints.
How EDRKillShifter Works
EDRKillShifter operates as a “loader” executable, delivering a legitimate driver vulnerable to exploitation. This “bring your vulnerable driver” (BYOVD) tactic lets attackers use existing vulnerabilities in legitimate software to acquire the privileges needed to disable EDR tools.
The execution process unfolds in three steps:
- Execution with Password: The attacker initiates EDRKillShifter using a command line with a specific password, which decrypts an embedded resource named BIN for in-memory execution.
- Unpacking and Execution: The BIN resource unpacks and runs the final payload, written in Go, exploiting vulnerable drivers to bypass EDR protections.
- Dynamic Loading: This payload is dynamically loaded into memory and executed, thereby disabling the EDR system.
More detailed analysis
Initial Analysis of EDRKillShifter
All samples of EDRKillShifter show identical version data, with “Loader.exe” as the original filename. The Russian language property of the binary implies it was compiled on a system with Russian localization. Execution is gated by a unique 64-character password, ensuring the tool doesn’t run without it.
Loading the Final EDR Killer
The second stage employs self-modifying code for obfuscation, complicating analysis as instructions are revealed only during execution. Its main function is to load and execute the final payload in memory.
Final Payloads
The final payloads, written in Go, are heavily obfuscated, likely using obfuscation tools. This makes reverse engineering challenging for researchers, though tools like GoReSym have been effective in extracting useful information.
Placing EDRKillShifter in the Threat Landscape
The EDRKillShifter tool is part of a broader dark net malware ecosystem. It primarily acts as a loader for various BYOVD payloads, suggesting it may be acquired separately from the payloads it delivers. This modular approach complicates attribution and highlights the ongoing cyber arms race.
As EDR systems become more prevalent, attackers are developing increasingly sophisticated tools to evade them.
Continuous vigilance and adaptive security practices are crucial for staying ahead of evolving threats. The recent RansomHub attack underscores the importance of robust security and ongoing threat analysis.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment