The RansomHub ransomware gang has unveiled a new tool in their arsenal, designed to thwart endpoint detection and response (EDR) processes and evade detection of malicious activities. Known as “EDRKillShifter,” this binary is crafted to initiate a legitimate but unpatched vulnerable driver that can be exploited for privilege escalation using proof-of-concept exploits available on GitHub, as reported by the Sophos X-Ops team.
According to Sophos researchers, the execution process of this loader consists of three main steps. The attacker must execute EDRKillShifter with a command line that includes a specific password string. Upon running with the correct password, the executable decrypts an embedded resource named BIN and executes it in memory. The BIN code then unpacks and executes the final payload, written in the Go programming language, which drops and exploits various vulnerable, legitimate drivers to gain the privileges needed to disable an EDR tool’s protection.
This development comes amidst a growing trend of malware designed to disable EDR systems. AuKill, an EDR killer tool discovered by Sophos X-Ops last year and sold on the Dark Web, has experienced increased usage in the past year. Similarly, Terminator, utilizing a bring-your-own-driver (BYOVD) mechanism similar to EDRKillShifter, has gained popularity for its ability to offer a comprehensive EDR bypass by targeting 24 different vendors’ EDR engines.
The BYOVD attack method is not a new phenomenon, and Microsoft has taken steps to decertify signed drivers known to have been exploited in the past. However, the challenge persists as attackers find ways to exploit older, buggy versions of drivers. Roger Grimes, a data-driven defense evangelist at KnowBe4, highlighted the difficulty in defending against this tactic, especially considering the complexities introduced by user groups needing older software versions for compatibility and operability reasons.
In response to these evolving threats, Sophos X-Ops suggests that administrators implement robust security measures for Windows systems to mitigate the risk of such scenarios. Maintaining a clear separation between user and admin privileges can help prevent attackers from easily loading drivers and executing malicious payloads. By focusing on maintaining strong hygiene for Windows security roles, organizations can enhance their defense mechanisms against sophisticated attacks like BYOVD tactics.
Overall, the emergence of tools like EDRKillShifter underscores the need for continuous vigilance and proactive security measures to protect against evolving cyber threats. As cybercriminals refine their techniques and exploit vulnerabilities in systems, organizations must adapt their security practices and stay ahead of potential risks to safeguard their data and infrastructure.