National Cyber Warfare Foundation (NCWF) Forums


Ransomware Group Added a New EDR Killer Tool to their arsenal


0 user ratings
2024-08-15 14:03:10
milo
Red Team (CNA)

A ransomware group known as RansomHub has been found deploying a new tool designed to disable endpoint detection and response (EDR) systems. This tool, EDRKillShifter, represents a significant advancement in the tactics used by cybercriminals to bypass security measures and execute ransomware attacks. Although a recent attack using this tool was thwarted, the discovery underscores […]


The post Ransomware Group Added a New EDR Killer Tool to their arsenal appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



A ransomware group known as RansomHub has been found deploying a new tool designed to disable endpoint detection and response (EDR) systems.





This tool, EDRKillShifter, represents a significant advancement in the tactics used by cybercriminals to bypass security measures and execute ransomware attacks.





Although a recent attack using this tool was thwarted, the discovery underscores the persistent threat of ransomware groups and their continuous adaptation to security technologies.





The Rise of EDRKillShifter





Sophos analysts uncovered the EDRKillShifter tool during an attempted ransomware attack in May 2023. While the attack was unsuccessful, the postmortem analysis revealed the presence of this new utility aimed at terminating endpoint protection software.





The tool’s emergence is part of a broader trend observed since 2022, where malware designed to disable EDR systems has become increasingly sophisticated.





This trend aligns with the growing adoption of EDR technologies by organizations seeking to protect their endpoints from cyber threats.





How EDRKillShifter Works





EDRKillShifter functions as a “loader” executable, serving as a delivery mechanism for a legitimate driver vulnerable to abuse.





This approach, known as “bring your vulnerable driver” (BYOVD), allows attackers to leverage existing vulnerabilities in legitimate software to gain the necessary privileges to disable EDR tools.





Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot





The execution process involves three steps:






  1. Execution with Password: The attacker runs EDRKillShifter with a command line and a specific password string. This password is crucial for decrypting an embedded resource named BIN and executing it in memory.




  2. Unpacking and Execution: The BIN code unpacks and executes the final payload in the Go programming language. This payload exploits various vulnerable drivers to gain the privileges needed to unhook EDR protection.




  3. Dynamic Loading: The final payload is dynamically loaded into memory and executed, effectively disabling the EDR system.





Technical Analysis of EDRKillShifter





Peeling Off the First Layer





Initial analysis of EDRKillShifter reveals that all samples share similar version data, with the original filename being Loader.exe.





The binary’s language property is Russian, suggesting that the malware author compiled it on a computer with Russian localization settings. Execution requires a unique 64-character password; without it, the tool will not run.





Version info of EDRKillShifter as shown in CFF Explorer
Version info of EDRKillShifter as shown in CFF Explorer




Loading the Final EDR Killer





The second stage of the tool is obfuscated using self-modifying code techniques. This makes analysis challenging, as the actual instructions are only revealed during execution.





The final decoded layer’s sole purpose is to load and execute the final payload in memory.





The EDRKillShifter uses self-modifying code to change every subsequent instruction
The EDRKillShifter uses self-modifying code to change every subsequent instruction




Analysis of the Ultimate Payload





The ultimate payloads analyzed were all written in Go and heavily obfuscated, likely using tools like obfuscate.





This obfuscation hinders reverse engineering efforts, making it difficult for security researchers to analyze the malware.





However, tools like GoReSym have been used to extract valuable information from these obfuscated samples.





Similarities and Variants





All analyzed EDR killer variants embed a vulnerable driver, exploiting it to acquire the necessary privileges to disable EDR systems.





The variants differ mainly in the specific vulnerable driver they exploit. These drivers are often legitimate but have known vulnerabilities that are exploited using publicly available proof-of-concept code.





A Process Monitor log shows the malware dropping the abusable driver into the TEMP folder
A Process Monitor log shows the malware dropping the abusable driver into the TEMP folder




Mapping EDRKillShifter in the Threat Landscape





The EDRKillShifter tool appears to be part of a larger ecosystem of malware tools sold on the dark net.





The loader’s primary function is to deploy the final BYOVD payload, suggesting that it might have been acquired separately from the payloads it delivers.





This modular approach allows different threat actors to use the same loader with various payloads, complicating attribution efforts.





Example of an obfuscator tool advertisement for sale on a dark net criminal forum
Example of an obfuscator tool advertisement for sale on a dark net criminal forum




The discovery of EDRKillShifter highlights the ongoing arms race between cybercriminals and cybersecurity professionals.





As organizations continue to adopt advanced security measures like EDR systems, threat actors are developing increasingly sophisticated tools to bypass these defenses.





The cybersecurity community must remain vigilant and adaptive, employing a combination of technological solutions and threat intelligence to stay ahead of these evolving threats.





The failed attack by RansomHub serves as a reminder of the importance of robust security practices and the need for continuous monitoring and analysis of emerging threats.





Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces


The post Ransomware Group Added a New EDR Killer Tool to their arsenal appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Source: gbHackers
Source Link: https://gbhackers.com/ransomware-edr-killer-tool/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.