RansomHub ransomware operators are actually deploying new malware to disable Endpoint Detection and Response (EDR) safety software program in Deliver Your Personal Susceptible Driver (BYOVD) assaults.
Named EDRKillShifter by Sophos safety researchers who found it throughout a Might 2024 ransomware investigation, the malware deploys a respectable, weak driver on focused gadgets to escalate privileges, disable safety options, and take management of the system.
This system may be very fashionable amongst numerous menace actors, starting from financially motivated ransomware gangs to state-backed hacking teams.
“During the incident in May, the threat actors – we estimate with moderate confidence that this tool is being used by multiple attackers — attempted to use EDRKillShifter to terminate Sophos protection on the targeted computer, but the tool failed,” stated Sophos menace researcher Andreas Klopsch.
“They then attempted to run the ransomware executable on the machine they controlled, but that also failed when the endpoint agent’s CryptoGuard feature was triggered.”
Whereas investigating, Sophos found two completely different samples, each with proof-of-concept exploits obtainable on GitHub: one exploiting a weak driver referred to as RentDrv2 and one other exploiting a driver known as ThreatFireMonitor, a part of a deprecated system-monitoring bundle.
Sophos additionally discovered that EDRKillShifter can ship numerous driver payloads based mostly on the attackers’ wants and that the malware’s language property suggests it was compiled on a pc with Russian localization.
The loader’s execution includes three steps: first, the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded useful resource named BIN in reminiscence. This code then unpacks and executes the ultimate payload, which drops and exploits a weak, respectable driver to escalate privileges and disable lively EDR processes and companies.
“After the malware creates a new service for the driver, starts the service, and loads the driver, it enters an endless loop that continuously enumerates the running processes, terminating processes if their name appears in a hardcoded list of targets,” Klopsch added.
“It is also worth noting that both variants exploit legitimate (though vulnerable) drivers, using proof-of-concept exploits available on Github. We suspect that the threat actors copied portions of these proofs-of-concept, modified them, and ported the code to the Go language.”
Sophos recommends enabling tamper safety in endpoint safety merchandise, sustaining a separation between person and admin privileges to stop attackers from loading weak drivers, and protecting methods up to date, provided that Microsoft retains de-certifying signed drivers recognized to have been misused in earlier assaults.
Final yr, Sophos noticed one other EDR-killing malware, dubbed AuKill, which abused a weak Course of Explorer driver in Medusa Locker and LockBit ransomware assaults. AuKill is much like an open-source device referred to as Backstab, which additionally exploits a weak Course of Explorer driver and has been utilized by the LockBit gang in at the least one assault noticed by Sophos X-Ops.
