Threat Research

Ransomware Attackers Unveil New EDR Bypass Tool

Securonix

Sophos analysts uncovered a new EDR-killing loader, EDRKillShifter, used in a ransomware attempt called RansomHub that ultimately failed. The tool encrypts and decrypts resources in memory, leverages a BYOVD approach with vulnerable drivers, and employs obfuscation and self-modifying code to hinder analysis. #EDRKillShifter #RansomHub

Keypoints

  • New tool identified: EDRKillShifter is a utility aimed at terminating endpoint protection software.
  • Failed ransomware attack: The tool was used in an unsuccessful ransomware attempt called RansomHub.
  • Loader functionality: EDRKillShifter acts as a loader for various driver payloads, utilizing a “bring your own vulnerable driver” (BYOVD) approach.
  • Execution process: Requires a unique 64-character password to execute and decrypts embedded resources in memory.
  • Self-modifying code: The second stage of the malware uses self-modifying code to obscure its instructions during execution.
  • Obfuscation techniques: The final payloads are written in Go and are obfuscated, complicating reverse engineering efforts.
  • Mitigation recommendations: Users are advised to enable tamper protection, maintain strong user privilege separation, and keep systems updated.

MITRE Techniques

  • [T1068] Privilege Escalation – Exploitation of a vulnerable driver to gain elevated privileges. “Exploitation of a vulnerable driver to gain elevated privileges.”
  • [T1562] Defense Evasion – Using EDRKillShifter to disable endpoint protection software. “Using EDRKillShifter to disable endpoint protection software.”
  • [T1203] Execution – Execution of the loader with a command line argument to decrypt and execute payloads. “Execution of the loader with a command line argument to decrypt and execute payloads.”
  • [T1071] Command and Control – Potential communication with external servers for additional payloads or commands. “Potential communication with external servers for additional payloads or commands.”

Indicators of Compromise

  • [File hash] 451f5aa55eb207e73c5ca53d249b95911d3fad6fe32eee78c58947761336cc60 – variant with RentDrv2 observed in Loader/driver chain
  • [File hash] d0f9eae1776a98c77a6c6d66a3fd32cee7ee6148a7276bc899c1a1376865d9b0 – variant with ThreatFireMonitor observed in loader chain
  • [File name] Loader.exe – original loader name observed
  • [File name] Config.ini – file created by the loader and written to disk during execution
  • [Driver] RentDrv2 – vulnerable driver exploited by one final payload variant
  • [Driver] ThreatFireMonitor – vulnerable driver exploited by another final payload variant
  • [Process] Notepad.exe – targeted process name observed in the execution context
  • [Process] CalculatorApp.exe – targeted process name observed in the execution context

Read more: https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/