A cybercrime group with hyperlinks to the RansomHub ransomware has been noticed utilizing a brand new software designed to terminate endpoint detection and response (EDR) software program on compromised hosts, becoming a member of the likes of different related packages like AuKill (aka AvNeutralizer) and Terminator.
The EDR-killing utility has been dubbed EDRKillShifter by cybersecurity firm Sophos, which found the software in reference to a failed ransomware assault in Could 2024.
“The EDRKillShifter tool is a ‘loader’ executable – a delivery mechanism for a legitimate driver that is vulnerable to abuse (also known as a ‘bring your own vulnerable driver,’ or BYOVD, tool),” safety researcher Andreas Klopsch stated. “Depending on the threat actor’s requirements, it can deliver a variety of different driver payloads.”
RansomHub, a suspected rebrand of the Knight ransomware, surfaced in February 2024, leveraging identified safety flaws to acquire preliminary entry and drop professional distant desktop software program reminiscent of Atera and Splashtop for persistent entry.
Final month, Microsoft revealed that the infamous e-crime syndicate often called Scattered Spider has integrated ransomware strains reminiscent of RansomHub and Qilin into its arsenal.
Executed by way of command-line together with a password string enter, the executable decrypts an embedded useful resource named BIN and executes it in reminiscence. The BIN useful resource unpacks and runs a Go-based closing, obfuscated payload, which then takes benefit of various weak, professional drivers to realize elevated privileges and disarm EDR software program.
“The binary’s language property is Russian, indicating that the malware author compiled the executable on a computer with Russian localization settings,” Klopsch stated. “All of the unpacked EDR killers embed a vulnerable driver in the .data section.”
To mitigate the risk, it is beneficial to maintain programs up-to-date, allow tamper safety in EDR software program, and follow robust hygiene for Home windows safety roles.
“This attack is only possible if the attacker escalates privileges they control, or if they can obtain administrator rights,” Klopsch stated. “Separation between user and admin privileges can help prevent attackers from easily loading drivers.”