The Emergence of Advanced EDR Killer Tools in Ransomware Attacks
Recent reports have highlighted the emergence of a novel Endpoint Detection and Response (EDR) bypass tool, referred to as the evolutionary successor to the ‘EDRKillShifter.’ Developed by RansomHub, this tool is actively utilized in operations by a consortium of eight distinct ransomware groups, including renowned names such as Blacksuit, Medusa, Qilin, and Dragonforce.
Operational Mechanisms of EDR Killer Tools
EDR killer tools are integral to the strategies employed by ransomware operators, enabling them to disable security software on compromised systems. This capability facilitates the deployment of malicious payloads, privilege escalation, lateral movement within networks, and ultimately, the encryption of critical data—all while evading detection mechanisms.
Sophos security researchers have noted that this newly identified tool, which remains unnamed, exploits a heavily obfuscated binary. This binary self-decodes during runtime and integrates into legitimate application processes, thereby enhancing its stealth.
Exploitation of Stolen Certificates
A key feature of this sophisticated tool is its ability to search for a malicious driver that possesses either a stolen or expired digital certificate. The driver is assigned a random five-character name, which is hardcoded into the executable. If such a driver is discovered, it is loaded into the kernel, facilitating a "bring your own vulnerable driver" (BYOVD) attack, which grants the necessary kernel-level privileges to disable security tools.
Targeting Major Security Vendors
The driver typically masquerades as a legitimate file, such as the CrowdStrike Falcon Sensor Driver. Once operational, it systematically terminates processes and services associated with various security software solutions. The primary targets include prominent vendors like Sophos, Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, Cylance, McAfee, F-Secure, HitmanPro, and Webroot.
While the variants of this EDR killer differ in terms of driver names and targeted antivirus solutions, they exhibit common characteristics, such as using HeartCrypt for packing. This indicates a level of tool-sharing and collaboration among even competing ransomware groups, raising concerns within the cybersecurity community.
Collaborative Development Among Threat Actors
Sophos researchers emphasize that the deployment of this tool is not the result of a single binary leaking into the public domain. Instead, it appears to be the product of collaborative development among multiple threat actors, with each instance showcasing a unique build of the proprietary tool.
The phenomenon of tool-sharing, particularly concerning EDR bypass mechanisms, has become increasingly prevalent within the ransomware landscape. For instance, Sophos has also identified another tool, AuKill, which has been employed by Medusa Locker and LockBit in their operations.
Additionally, SentinelOne documented instances where the FIN7 group marketed their custom "AvNeutralizer" tool to various ransomware factions, such as BlackBasta, AvosLocker, and LockBit, further demonstrating the interconnectedness in cybercriminal enterprises.
Indicators of Compromise
For cybersecurity professionals seeking to fortify their defenses against this emerging threat, comprehensive indicators of compromise (IoCs) associated with the newly identified EDR killer tool are accessible through a dedicated GitHub repository. Cybersecurity experts are encouraged to consult this resource to stay ahead of evolving tactics.
Emergence of Password Store Exploits
The threat landscape continues to evolve, with malware specifically targeting password stores witnessing a threefold increase. Cybercriminals are executing stealthy operations referred to as Perfect Heist scenarios, aggressively infiltrating and exploiting critical systems across sectors.
As ransomware tactics become increasingly sophisticated, understanding and mitigating threats is paramount. By employing robust security frameworks and staying informed on the latest attack vectors, organizations can better shield themselves against these pervasive threats.