A recent development in the realm of cybersecurity has shed light on a new tool being utilized by a ransomware group called RansomHub. This tool, known as EDRKillShifter, has been specifically designed to disable endpoint detection and response (EDR) systems, marking a significant advancement in the tactics employed by cybercriminals to execute ransomware attacks.

Despite a recent thwarted attack using this tool, the discovery of EDRKillShifter underscores the persistent threat posed by ransomware groups and their relentless adaptation to security technologies. Analysts from Sophos first uncovered this tool during an attempted ransomware attack in May 2023, even though the attack itself was unsuccessful. Subsequent analysis revealed the presence of this new utility aimed at disabling endpoint protection software.

This discovery is part of a broader trend that has been observed since 2022, where malware designed to disable EDR systems has become increasingly sophisticated. This trend correlates with the rising adoption of EDR technologies by organizations looking to safeguard their endpoints against cyber threats.

EDRKillShifter functions as a “loader” executable, acting as a delivery mechanism for a legitimate driver vulnerable to exploitation. Leveraging the “bring your vulnerable driver” (BYOVD) approach, attackers can capitalize on existing vulnerabilities in legitimate software to acquire the necessary privileges to disable EDR tools.

The execution process of EDRKillShifter involves three main steps. First, the attacker runs the tool with a command line and a specific password string essential for decrypting an embedded resource named BIN. Subsequently, the BIN code unpacks and executes the final payload in the Go programming language, exploiting various vulnerable drivers to disable EDR protection. Finally, the final payload is dynamically loaded into memory and executed, effectively rendering the EDR system inactive.

Upon closer examination, it is evident that all samples of EDRKillShifter share similar version data, with the original filename being Loader.exe. Furthermore, the binary’s language property is Russian, suggesting that the malware author compiled it on a system with Russian localization settings. The second stage of the tool employs self-modifying code techniques to obfuscate the actual instructions, making analysis challenging.

The ultimate payloads analyzed were written in Go and heavily obfuscated, impeding reverse engineering efforts. Despite the challenges posed by obfuscation, tools like GoReSym have been utilized to extract valuable information from these obfuscated samples. These payloads exploit different vulnerable drivers to acquire the privileges necessary to disable EDR systems.

The modular nature of EDRKillShifter suggests that it is part of a larger ecosystem of malware tools available on the dark net. The loader’s primary function is to deploy the final BYOVD payload, indicating that it may have been acquired separately from the payloads it delivers, complicating attribution efforts.

The discovery of EDRKillShifter sheds light on the ongoing arms race between cybercriminals and cybersecurity professionals. As organizations continue to enhance their security measures with technologies like EDR systems, threat actors are developing increasingly sophisticated tools to circumvent these defenses. This emphasizes the importance of vigilance, adaptability, and the utilization of technological solutions and threat intelligence to stay ahead of evolving threats.

The failed attack by RansomHub serves as a stark reminder of the criticality of robust security practices and the necessity for continuous monitoring and analysis of emerging threats. The cybersecurity community must remain vigilant and proactive in combating evolving cyber threats to safeguard organizations against potential attacks.

Source link