Killer Ultra is a malicious tool tied to Qilin ransomware that targets and disables popular EDR/AV products, while also offering broader post-exploitation capabilities. The analysis highlights its Zemana driver usage, kernel-level actions, persistence mechanisms, and potential for future C2-enabled operations. #KillerUltra #SpyBoy
Keypoints
- Terminates Processes for Common Security Tools: Killer Ultra obtains Kernel level permissions and targets endpoint security tools from Symantec, Microsoft, and Sentinel One.
- Event Log Clearing: It enumerates and clears all Windows Event Logs.
- Vulnerability Exploitation: Killer Ultra is packed with a vulnerable version of Zemana AntiLogger leveraging CVE-2024-1853 for Arbitrary Process Termination.
- Extended Capabilities: Analysis revealed inactive code with capabilities that could download and execute tools over a C2 channel.
- Defence Evasion &driver loading: Uses Zemana driver amsdk.sys written to disk as “trevor” and loads it via a StopGuard service.
- Persistence & Reboot Resilience: Creates two scheduled tasks (Microsoft Security and Microsoft Maintenance) to run at startup.
MITRE Techniques
- [T1562.001] Impair Defenses – Terminate common security tools. ‘Killer Ultra terminates processes for common security tools…’
- [T1070.001] Clear Windows Event Logs – Enumerates and clears Windows Event Logs. ‘It enumerates and clears all Windows Event Logs.’
- [T1068] Exploitation for Privilege Escalation – CVE-2024-1853 in Zemana AntiLogger for Arbitrary Process Termination. ‘Vulnerability Exploitation: Killer Ultra is packed with a vulnerable version of Zemana AntiLogger leveraging CVE-2024-1853 for Arbitrary Process Termination.’
- [T1053.005] Scheduled Task – Persistence via startup tasks. ‘To prevent security tools from running again after a system reboot, Killer Ultra creates two scheduled tasks named “Microsoft Security” and “Microsoft Maintenance” to run at system startup.’
- [T1543.003] Create/Modify System Process: Windows Service – Load Zemana driver via a Windows service named StopGuard. ‘The driver is executed by creating a service named “StopGuard.”’
- [T1105] Ingress Tool Transfer – Download/transfer tools over remote sources. ‘There is a reference to “Download Agent” leveraging InternetOpenUrlW and CreateFileW, indicating that this code could be used in the future to establish a Command-and-Control channel with an impacted system.’
- [T1106] Native API – Execute mimi.exe and program.exe from C:temp via CreateProcessW. ‘Killer Ultra has code designed to execute processes named “mimi.exe” and “program.exe” from “c:temp” via the native CreateProcessW function.’
- [T1497] Virtualization/Sandbox Evasion – Checks for virtualization/sandbox software before possible termination. ‘Killer Ultra contains a list of files associated with virtualization and sandbox software such as VirtualBox and CAPE…’
Indicators of Compromise
- [Hash] 379e4c80bc7f2d174b5ca9f2decedcee587c73517183488e23e7f34c99371774 – Sample hash of the Killer Ultra sample provided.
- [File Name] trevor – Zemana driver downloaded and written to disk as a file named “trevor.”
- [Driver] amsdk.sys – Zemana AntiLogger driver packaged with Killer Ultra.
- [File Name] amsdk.sys – Zemana driver file name observed in the malware package.
- [Service] StopGuard – Service created to execute the Zemana driver.
- [Scheduled Task] Microsoft Security – Startup task to re-launch Killer Ultra at boot.
- [Scheduled Task] Microsoft Maintenance – Startup task to re-launch Killer Ultra at boot.
- [Process] notepad.exe – Used to unhook and tamper with NTDLL during defense evasion.
- [Registry Key] HKLMSystemControlSet001ServicesStopGuard – Registry key referencing the StopGuard service.