RansomHub group has been found deploying a new tool designed to disable endpoint detection and response (EDR) systems that shows a advancement int the TTP’s handled by the threat actors for carrying out ransomware attacks.
Sophos uncovered the tool EDRKillShifter during an attempted ransomware attack in May 2023. While the attack was unsuccessful, the postmortem analysis revealed the presence of this new utility aimed at terminating endpoint protection software.
The tool’s emergence is observed since 2022, where malware designed to disable EDR systems has become increasingly sophisticated and on the other end growing adoption of EDR technologies by organizations seeking to protect their endpoints from cyber threats.
Modus of Operandi
EDRKillShifter functions as a “loader” executable, serving as a delivery mechanism for a legitimate driver vulnerable to abuse which typically known as bring your vulnerable driver (BYOVD), allows attackers to leverage existing vulnerabilities in legitimate software to gain the necessary privileges to disable EDR tools.
The process involves below steps:
- Execution with Password
- Unpacking and Execution
- Dynamic Loading
First Layer
Initial analysis of EDRKillShifter reveals that all samples share similar version data, with the original filename being Loader.exe. Execution requires a unique 64-character password; without it, the tool will not run.
Loading the Final EDR Killer
The second stage of the tool is obfuscated using self-modifying code techniques. This makes analysis challenging, as the actual instructions are only revealed during execution. The final decoded layer’s sole purpose is to load and execute the final payload in memory.
The ultimate payloads analyzed were all written in Go and heavily obfuscated, likely using tools like obfuscate which delays the reverse engineering efforts, making it difficult for security researchers to analyze the malware.
All analyzed EDR killer variants embed a vulnerable driver, exploiting it to acquire the necessary privileges to disable EDR systems. These drivers are often legitimate but have known vulnerabilities that are exploited using publicly available proof-of-concept code.
The discovery of EDRKillShifter highlights the ongoing arms race between cybercriminals and cybersecurity professionals. As organizations continue to adopt advanced security measures like EDR systems, threat actors are developing increasingly sophisticated tools to bypass these defenses.
Though the attack by RansomHub failed, serves as a reminder of the importance of robust security practices and the need for continuous monitoring and analysis of emerging threats.
