Discover EDRKillShifter, a new EDR-Killing malware used by ransomware operators. Learn how it bypasses security software detection capabilities
RansomHub ransomware operators are increasingly deploying sophisticated malware to disrupt Endpoint Detection and Response (EDR) systems. This new threat, identified as EDRKillShifter by Sophos security researchers, represents a severe evolution in BYOVD (Bring Your Own Vulnerable Driver) attacks.
This Threatfeed goes through the workings of EDRKillShifter, its implications for security softwares like EDR, and recommended mitigation strategies against this lethal EDR-Killing malware.
EDRKillShifter is a newly identified tool used by ransomware operators to disable EDR protections. Discovered during a May 2024 investigation, this tool utilizes legitimate, vulnerable drivers to escalate privileges, disable security software, and control systems. This method has gained popularity among various threat actors, including financially motivated gangs and state-sponsored groups.
1. Tool Mechanism and Execution
The EDRKillShifter operates as a loader executable, deploying a vulnerable driver on targeted devices.
Here’s a step-by-step breakdown of its execution process:
Command Line Execution: The attacker initiates EDRKillShifter with a password-protected command line. The correct password decrypts an embedded resource named BIN in memory.
Payload Execution: The BIN code then unpacks and executes the final payload, which is a Go-language binary designed to exploit vulnerable drivers.
Driver Exploitation: The final payload drops and exploits a legitimate driver to bypass EDR protections.
2. Self-Modifying Code
The EDRKillShifter employs self-modifying code techniques, altering instructions during runtime to evade detection. This obfuscation makes analysis challenging, requiring specialized tools for effective reverse engineering.
3. Payload Analysis
The final payloads are written in Go and are often obfuscated. This approach complicates reverse engineering efforts by encrypting strings, removing version information, and hiding package paths.
To counter the threat posed by EDRKillShifter, consider the following mitigation strategies:
1. Enable Tamper Protection
Ensure that tamper protection is enabled in endpoint security products. This feature helps safeguard against unauthorized modifications and attacks designed to disable security measures.
2. Practice Strong Role Separation
Maintain clear separation between user and admin privileges. This practice limits the potential for attackers to escalate privileges and load vulnerable drivers.
3. Keep Systems Updated
Regularly update systems and software. Microsoft’s efforts to de-certify misused signed drivers underscore the importance of keeping systems current to avoid exploitation.
EDRKillShifter shares similarities with previous EDR-killing malware like AuKill, discovered last year. Both tools exploit legitimate drivers but differ in their specific techniques and the types of drivers they target. The evolution of these tools reflects the increasing sophistication of cyber threats.
The broader threat landscape shows a growing trend of EDR-killing tools, highlighting the need for continuous vigilance and adaptive security measures. EDRKillShifter’s design and execution illustrate the persistent challenge of defending against advanced persistent threats (APTs) and sophisticated cyber attacks.
1. Loader and Payload Variability
EDRKillShifter variants demonstrate significant variability in the drivers and payloads used. This adaptability allows threat actors to customize their attacks based on the target environment and available vulnerabilities.
2. Dark Net and Obfuscation Tools
The sale of obfuscators and loaders on the dark net underscores the commercial aspect of cyber threats. Sophos X-Ops suggests that these tools might be obtained from illicit sources and used to deploy various malicious payloads.
EDRKillShifter represents a notable advancement in EDR-killing malware, utilizing sophisticated techniques to disable endpoint protections.