RansomHub threat actors observed using EDR-killing tool

Threat research from Sophos details a recent encounter with the ransomware group known as RansomHub. The research reports that the attack was unsuccessful; however, researchers were able to analyze the attack and discovered the use of an EDR-killing tool. The research has labelled this utility the EDRKillShifter. 

John Bambenek, President at Bambenek Consulting, comments, “At present, only RansomHub is using the tool. However, as it was sold on the dark web, it is more than likely that other groups could purchase it as well. Threat actors trying to kill EDR agents on systems before going further in their chain of attacks is not news, however, security teams should keep tight controls on drivers being installed to avoid this tool.”

How the EDR-killing tool works

EDRKillShifter is described as a “bring your own vulnerable driver” (BYOVD) tool, requiring three steps to execute. 

  1. The EDRKillShifter must be executed with a command line including a password string; with the correct password, an embedded resource named BIN is decrypted and executed. 
  2. The final payload is unpacked and executed by the BIN code. 
  3. The final payload drops and leverages one vulnerable, legitimate driver from a range of drivers in order to gain privileges to disarm an EDR tool’s protection. 

Bambenek states, “BYOVD is a technique where an attacker loads a legitimate driver that has vulnerabilities so they can overwrite the code near the kernel to execute privileged functions. The danger here is that the kernel driver isn’t malicious, so detection is more difficult. Once a driver is loaded, you have much deeper access to the system and are able to have a wider range of privileges to manipulate a system.”

How security leaders can defend their organizations

Security leaders are encouraged to monitor endpoint security, encourage strong organizational cyber hygiene and keep systems updated. Craig Jones, Vice President of Security Operations at Ontinue, explains, “The situation with the EDRKillShifter tool is indeed concerning. From what we can gather, the cybercriminal group behind this operation remains unidentified, but their use of the RansomHub ransomware suggests they’re experienced and determined. The fact that they’re employing this new tool, designed specifically to disable endpoint detection and response (EDR) software, is a clear indicator of their sophistication.

“The danger here is significant. Once EDR is out of the picture, these attackers can operate on compromised systems with much less risk of being detected, giving them a wider window to deploy ransomware or other malicious payloads.

“For security teams, the emergence of EDRKillShifter emphasizes the constantly evolving tactics used by threat actors. First, it’s crucial to ensure that all drivers on your network are up-to-date and regularly audited for known vulnerabilities. Additionally, implementing strict allowlisting policies for drivers can help prevent unauthorized or vulnerable drivers from being used, this is time consuming and fraught with complexity.

“Security is a moving target, and this latest tool is a reminder that attackers are always looking for ways to outmaneuver even the most advanced defenses.”

https://www.securitymagazine.com/articles/100947-ransomhub-threat-actors-observed-using-edr-killing-tool