HomeRisk ManagementsRansomware attackers unveil new EDR killer in their arsenal - Sophos News

Ransomware attackers unveil new EDR killer in their arsenal – Sophos News

Published on

spot_img

Sophos analysts recently revealed a new threat in the cybersecurity landscape: EDRKillShifter, a tool developed by a criminal group in an attempted ransomware attack on an organization using RansomHub. While the attack was ultimately thwarted, the postmortem analysis shed light on the existence of this new endpoint protection software termination tool.

The emergence of EDRKillShifter comes amidst a rise in sophisticated malware targeting EDR systems as more customers adopt EDR tooling to protect their endpoints. Previous research by Sophos highlighted another EDR killer tool called AuKill, which was commercially available in criminal marketplaces.

In a recent incident in May, threat actors used EDRKillShifter to try and disable Sophos protection on a targeted computer. However, their attempts failed, and the ransomware execution was also thwarted by the endpoint agent’s CryptoGuard feature.

EDRKillShifter functions as a loader executable, delivering a vulnerable driver payload that can be exploited by threat actors. The execution process involves running EDRKillShifter with a command line containing a password string to decrypt and execute the embedded resource named BIN in memory.

The decryption of BIN code leads to the execution of a final payload written in the Go programming language, which exploits vulnerable drivers to bypass EDR protection.

Further analysis of EDRKillShifter revealed that all samples shared the same version data, with the binary language property indicating Russian origin. The loader also creates a new file named Config.ini and allocates memory pages for encrypted content decryption.

The final payloads embedded in EDRKillShifter are obfuscated Go-written EDR killers, designed to terminate endpoint protection. These payloads encrypt strings, remove version information, and obscure package paths to hinder reverse engineering.

The investigation also uncovered similarities between the final payloads, with both variants abusing vulnerable drivers to gain privileges and terminate targeted processes. The exploitation of legitimate drivers using Github exploits ported to Go is a recurring trend in EDR killers.

Mapping EDRKillShifter to the larger threat landscape suggests that the loader and final payloads may be developed by separate threat actors, with loaders possibly acquired from the dark net.

Sophos provides mitigation strategies against EDRKillShifter, including enabling tamper protection, maintaining strong security hygiene, and keeping systems updated to prevent driver abuse attacks.

Overall, the discovery of EDRKillShifter highlights the evolving tactics of cybercriminals targeting endpoint protection systems and underscores the importance of robust cybersecurity measures to defend against sophisticated threats.

Source link

Latest articles

TfL Confirms Customer Data Breach, Arrest of 17-Year-Old Suspect

Transport for London (TfL) has disclosed that a breach in its systems has led...

Innovator Spotlight: Lineaje from Cyber Defense Magazine

Attending Black Hat 2024 with Cyber Defense Magazine proved to be an enlightening experience...

Hacker manipulates ChatGPT into providing instructions for creating homemade bombs – TechCrunch

A recent incident has shed light on the dangers of artificial intelligence being manipulated...

Liquid Intelligent Technologies Improves Cyber Security with Latest Solution

Liquid Intelligent Technologies, a business under Cassava Technologies, has introduced a new cyber security...

More like this

TfL Confirms Customer Data Breach, Arrest of 17-Year-Old Suspect

Transport for London (TfL) has disclosed that a breach in its systems has led...

Innovator Spotlight: Lineaje from Cyber Defense Magazine

Attending Black Hat 2024 with Cyber Defense Magazine proved to be an enlightening experience...

Hacker manipulates ChatGPT into providing instructions for creating homemade bombs – TechCrunch

A recent incident has shed light on the dangers of artificial intelligence being manipulated...
en_USEnglish