RansomHub ransomware operators are increasingly deploying sophisticated malware to disrupt Endpoint Detection and Response (EDR) systems. This new threat, identified as EDRKillShifter by Sophos security researchers, represents a severe evolution in BYOVD (Bring Your Own Vulnerable Driver) attacks.

This Threatfeed goes through the workings of EDRKillShifter, its implications for security softwares like EDR, and recommended mitigation strategies against this lethal EDR-Killing malware.

Overview of EDRKillShifter

EDRKillShifter is a newly identified tool used by ransomware operators to disable EDR protections. Discovered during a May 2024 investigation, this tool utilizes legitimate, vulnerable drivers to escalate privileges, disable security software, and control systems. This method has gained popularity among various threat actors, including financially motivated gangs and state-sponsored groups.

How EDRKillShifter Operates

1. Tool Mechanism and Execution

The EDRKillShifter operates as a loader executable, deploying a vulnerable driver on targeted devices.

Here’s a step-by-step breakdown of its execution process:

1. Command Line Execution: The attacker initiates EDRKillShifter with a password-protected command line. The correct password decrypts an embedded resource named BIN in memory.

2. Payload Execution: The BIN code then unpacks and executes the final payload, which is a Go-language binary designed to exploit vulnerable drivers.

3. Driver Exploitation: The final payload drops and exploits a legitimate driver to bypass EDR protections.

2. Self-Modifying Code

The EDRKillShifter employs self-modifying code techniques, altering instructions during runtime to evade detection. This obfuscation makes analysis challenging, requiring specialized tools for effective reverse engineering.

3. Payload Analysis

The final payloads are written in Go and are often obfuscated. This approach complicates reverse engineering efforts by encrypting strings, removing version information, and hiding package paths.

Mitigation Strategies

To counter the threat posed by EDRKillShifter, consider the following mitigation strategies:

1. Enable Tamper Protection

Ensure that tamper protection is enabled in endpoint security products. This feature helps safeguard against unauthorized modifications and attacks designed to disable security measures.

2. Practice Strong Role Separation

Maintain clear separation between user and admin privileges. This practice limits the potential for attackers to escalate privileges and load vulnerable drivers.

3. Keep Systems Updated

Regularly update systems and software. Microsoft’s efforts to de-certify misused signed drivers underscore the importance of keeping systems current to avoid exploitation.

Comparison with Previous EDR-Killers

EDRKillShifter shares similarities with previous EDR-killing malware like AuKill, discovered last year. Both tools exploit legitimate drivers but differ in their specific techniques and the types of drivers they target. The evolution of these tools reflects the increasing sophistication of cyber threats.

Current Threat Landscape

The broader threat landscape shows a growing trend of EDR-killing tools, highlighting the need for continuous vigilance and adaptive security measures. EDRKillShifter’s design and execution illustrate the persistent challenge of defending against advanced persistent threats (APTs) and sophisticated cyber attacks.

Additional Insights

1. Loader and Payload Variability

EDRKillShifter variants demonstrate significant variability in the drivers and payloads used. This adaptability allows threat actors to customize their attacks based on the target environment and available vulnerabilities.

2. Dark Net and Obfuscation Tools

The sale of obfuscators and loaders on the dark net underscores the commercial aspect of cyber threats. Sophos X-Ops suggests that these tools might be obtained from illicit sources and used to deploy various malicious payloads.

EDRKillShifter represents a notable advancement in EDR-killing malware, utilizing sophisticated techniques to disable endpoint protections.