Ransomware Group Introduces New EDR Killer Tool

Home/BOTNET, Compromised, Exploitation, malicious cyber actors, Malware, Ransomware/Ransomware Group Introduces New EDR Killer Tool

Ransomware Group Introduces New EDR Killer Tool

A ransomware group, RansomHub, has introduced EDRKillShifter, a tool designed to disable EDR systems. This advancement highlights the group’s evolving tactics to bypass security measures and execute attacks. Although a recent attack was stopped, the threat from such groups remains significant.

Sophos analysts discovered the EDRKillShifter tool during a failed ransomware attack in May 2023. Postmortem analysis revealed this utility’s aim to disable endpoint protection software, a trend of increasingly sophisticated malware targeting EDR systems since 2022. This reflects the rise in EDR adoption by organizations to safeguard their endpoints.

How EDRKillShifter Works

EDRKillShifter operates as a “loader” executable, delivering a legitimate driver vulnerable to exploitation. This “bring your vulnerable driver” (BYOVD) tactic lets attackers use existing vulnerabilities in legitimate software to acquire the privileges needed to disable EDR tools.

The execution process unfolds in three steps:

  1. Execution with Password: The attacker initiates EDRKillShifter using a command line with a specific password, which decrypts an embedded resource named BIN for in-memory execution.
  2. Unpacking and Execution: The BIN resource unpacks and runs the final payload, written in Go, exploiting vulnerable drivers to bypass EDR protections.
  3. Dynamic Loading: This payload is dynamically loaded into memory and executed, thereby disabling the EDR system.

More detailed analysis

Initial Analysis of EDRKillShifter

All samples of EDRKillShifter show identical version data, with “Loader.exe” as the original filename. The Russian language property of the binary implies it was compiled on a system with Russian localization. Execution is gated by a unique 64-character password, ensuring the tool doesn’t run without it.

Loading the Final EDR Killer

The second stage employs self-modifying code for obfuscation, complicating analysis as instructions are revealed only during execution. Its main function is to load and execute the final payload in memory.

Final Payloads

The final payloads, written in Go, are heavily obfuscated, likely using obfuscation tools. This makes reverse engineering challenging for researchers, though tools like GoReSym have been effective in extracting useful information.

Placing EDRKillShifter in the Threat Landscape

The EDRKillShifter tool is part of a broader dark net malware ecosystem. It primarily acts as a loader for various BYOVD payloads, suggesting it may be acquired separately from the payloads it delivers. This modular approach complicates attribution and highlights the ongoing cyber arms race.

As EDR systems become more prevalent, attackers are developing increasingly sophisticated tools to evade them.

Continuous vigilance and adaptive security practices are crucial for staying ahead of evolving threats. The recent RansomHub attack underscores the importance of robust security and ongoing threat analysis.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2024-08-22T21:52:38+05:30 August 16th, 2024|BOTNET, Compromised, Exploitation, malicious cyber actors, Malware, Ransomware|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!