August 15, 2024Ravie LakshmananRansomware / Cybercrime

A cybercriminal group associated with the RansomHub ransomware has been identified as using a new tool to terminate Endpoint Detection and Response (EDR) software on compromised hosts. This tool joins similar programs such as AuKill (also known as AvNeutralizer) and Terminator.

The EDR-destroying tool has been dubbed EDRKillShifter by cybersecurity firm Sophos, which discovered the tool in connection with a failed ransomware attack in May 2024.

“The EDRKillShifter tool is a ‘loader’ executable – a delivery mechanism for a legitimate driver that is vulnerable to exploitation (also known as a ‘bring your own vulnerable driver’ or BYOVD tool),” security researcher Andreas Klopsch said. “Depending on the threat actor’s requirements, it can deliver a variety of different driver payloads.”

RansomHub, a suspected rebranding of the Knight ransomware, surfaced in February 2024 and exploited known vulnerabilities to gain initial access and remove legitimate remote desktop software such as Atera and Splashtop for persistent access.

Last month, Microsoft announced that the notorious e-criminal network Scattered Spider has added ransomware variants such as RansomHub and Qilin to its arsenal.

Executed via the command line along with a password string input, the executable decodes an embedded resource named BIN and executes it in memory. The BIN resource unpacks and executes a Go-based final obfuscated payload, which then leverages various vulnerable legitimate drivers to gain elevated privileges and disarm EDR software.

“The language property of the binary is Russian, which indicates that the malware author compiled the executable on a computer with Russian localization settings,” Klopsch said. “All unpacked EDR killers contain a vulnerable driver in the .data section.”

To mitigate the threat, it is recommended to keep systems up to date, enable tamper protection in EDR software, and enforce strict rules for Windows security roles.

“This attack is only possible if the attacker elevates the privileges he controls or if he can gain administrative rights,” Klopsch said. “Separation between user and administrative rights can help prevent attackers from easily loading drivers.”