A new tool for disabling EDR systems has emerged in the cybercriminal community, which Sophos experts believe to be an extension of the EDRKillShifter utility. Its use has already been recorded in attacks by eight different groups, including RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.
These programs allow the ransomware to disable security solutions on compromised devices in order to deliver the payload, escalate privileges, move across the network, and finally encrypt data without risk of detection.
The new EDR Killer is a heavily obfuscated binary that decodes itself during execution and injects itself into legitimate processes. The next step is to search for a digitally signed driver with a stolen or expired certificate and a random five-character name, encoded in the executable file. If such a driver is found, it is loaded into the kernel, allowing the “Bring Your Own Vulnerable Driver” (BYOVD) technique to be implemented and allowing the system privileges needed to disable security products to be gained.
Disguised as legitimate components, such as the CrowdStrike Falcon Sensor driver, the malicious driver terminates antivirus and EDR processes and blocks related services. Solutions from Sophos, Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, Cylance, McAfee, F-Secure, HitmanPro, and Webroot are affected. Different versions of the tool differ in driver names, target product lists, and build characteristics, but in all cases the HeartCrypt packer is used. According to Sophos, this is not a single leaked binary, but a jointly developed platform also used by competing groups, each with its own unique build.
The general practice of sharing such tools in the ransomware community is already well known. In addition to EDRKillShifter, Sophos has previously discovered other utilities of this class, such as AuKill, used by Medusa Locker and LockBit. SentinelOne also reported last year that the FIN7 group sold its AvNeutralizer tool to several gangs, including BlackBasta, AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit. The complete list of indicators of compromise for the new EDR killer is available in the open GitHub repository.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
