A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of 'EDRKillShifter,' developed by RansomHub, has been observed in attacks by eight different ransomware gangs.
Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on the network without being detected.
According to Sophos security researchers, the new tool, which wasn't given a specific name, is used by RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.
The new EDR killer tool uses a heavily obfuscated binary that is self-decoded at runtime and injected into legitimate applications.
The tool searches for a digitally signed (stolen or expired certificate) driver with a random five-character name, which is hardcoded into the executable.
Stolen and expired certificate used by the malicious driver
Source: Sophos
If found, the malicious driver is loaded into the kernel, as required to perform a 'bring your own vulnerable driver' (BYOVD) attack and achieve kernel privileges required to turn off security products.
The driver masquerades as a legitimate file such as the CrowdStrike Falcon Sensor Driver, but once active, it kills AV/EDR-related processes and stops services associated with security tools.
The targeted vendors include Sophos, Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, Cylance, McAfee, F-Secure, HitmanPro, and Webroot.
... continue reading