Sophos analysts recently revealed a new threat in the cybersecurity landscape: EDRKillShifter, a tool developed by a criminal group in an attempted ransomware attack on an organization using RansomHub. While the attack was ultimately thwarted, the postmortem analysis shed light on the existence of this new endpoint protection software termination tool.
The emergence of EDRKillShifter comes amidst a rise in sophisticated malware targeting EDR systems as more customers adopt EDR tooling to protect their endpoints. Previous research by Sophos highlighted another EDR killer tool called AuKill, which was commercially available in criminal marketplaces.
In a recent incident in May, threat actors used EDRKillShifter to try and disable Sophos protection on a targeted computer. However, their attempts failed, and the ransomware execution was also thwarted by the endpoint agent’s CryptoGuard feature.
EDRKillShifter functions as a loader executable, delivering a vulnerable driver payload that can be exploited by threat actors. The execution process involves running EDRKillShifter with a command line containing a password string to decrypt and execute the embedded resource named BIN in memory.
The decryption of BIN code leads to the execution of a final payload written in the Go programming language, which exploits vulnerable drivers to bypass EDR protection.
Further analysis of EDRKillShifter revealed that all samples shared the same version data, with the binary language property indicating Russian origin. The loader also creates a new file named Config.ini and allocates memory pages for encrypted content decryption.
The final payloads embedded in EDRKillShifter are obfuscated Go-written EDR killers, designed to terminate endpoint protection. These payloads encrypt strings, remove version information, and obscure package paths to hinder reverse engineering.
The investigation also uncovered similarities between the final payloads, with both variants abusing vulnerable drivers to gain privileges and terminate targeted processes. The exploitation of legitimate drivers using Github exploits ported to Go is a recurring trend in EDR killers.
Mapping EDRKillShifter to the larger threat landscape suggests that the loader and final payloads may be developed by separate threat actors, with loaders possibly acquired from the dark net.
Sophos provides mitigation strategies against EDRKillShifter, including enabling tamper protection, maintaining strong security hygiene, and keeping systems updated to prevent driver abuse attacks.
Overall, the discovery of EDRKillShifter highlights the evolving tactics of cybercriminals targeting endpoint protection systems and underscores the importance of robust cybersecurity measures to defend against sophisticated threats.