EDRKillShifter Malware

By Mezo in Malware

Translate To:

A cybercrime group associated with the RansomHub Ransomware has been spotted deploying a new tool aimed at disabling endpoint detection and response (EDR) software on compromised systems. Cybersecurity experts have named this EDR-disabling utility "EDRKillShifter." The tool was discovered following a failed ransomware attempt in May 2024. EDRKillShifter now joins other similar programs, such as AuKill (also known as AvNeutralizer) and Terminator.

EDRKillShifter functions as a 'loader' executable, serving as a delivery mechanism for a legitimate but vulnerable driver—this type of tool is typically known as a 'bring your own vulnerable driver' (BYOVD). Depending on the threat actor's objectives, it can deploy various driver payloads.

Table of Contents

New Face of an Old Cybercrime Group

The RansomHub Ransomware believed to be a rebranded version of the Knight Ransomware, emerged in February 2024. It exploits known security vulnerabilities to gain initial access, deploying legitimate remote desktop tools like Atera and Splashtop to maintain persistent access. Just last month, Microsoft disclosed that the infamous cybercrime group Scattered Spider has added ransomware strains like RansomHub and Qilin to its toolkit.

Attack Chain and Operation of EDRKillShifter

Executed via the command line with a password string input, the executable decrypts an embedded resource named BIN and runs it directly in memory. This BIN resource unpacks and executes a final Go-based, obfuscated payload, which exploits various vulnerable, legitimate drivers to gain elevated privileges and disable EDR software.

The binary's language property is set to Russian, suggesting that the malware was compiled on a system with Russian localization settings. All unpacked EDR-disabling tools embed a vulnerable driver within the .data section.

It's recommended to keep systems updated, enable tamper protection in EDR software, and maintain strong security practices for Windows roles to mitigate this threat. This attack is only feasible if the attacker can escalate privileges or gain administrator rights. Ensuring a clear separation between user and admin privileges can help tremendously in preventing attackers from easily loading corrupted drivers.

How to Boost the Security of Your Devices against Malware Infections?

To strengthen device security and protect against malware infections, users are encouraged to adopt the following comprehensive best practices:

Regular Software Updates: Operating System: Ensure that your operating system is regularly upgraded with the latest security patches and updates to address and rectify known vulnerabilities. Applications: Regularly update all installed software, including Web browsers, plugins, and other applications, to maintain security and functionality.
Strong and Unique Passwords: Password Complexity: Create complex passwords that combine letters, numbers, and symbols to enhance security. Password Management: Utilize a reputable password manager to generate, store, and manage unique passwords for each account, thereby reducing the risk of password-related breaches.
Two-Factor Authentication (2FA): Additional Security: Implement two-factor authentication on all accounts and services that support it, adding one more layer of security beyond traditional passwords.
Anti-Malware Software: Real-Time Protection: Install and maintain trusted anti-malware programs that offer real-time protection and conduct regular scans to detect and neutralize threats. Program Updates: Regularly update these security programs to ensure they can identify and combat new and emerging threats effectively.
Safe Browsing Practices: Avoid Suspicious Links: Refrain from accessing links or downloading attachments from unfamiliar or suspicious emails to prevent malware infections. Verify Websites: Ensure that you are navigating to secure and legitimate websites by checking for HTTPS in the URL before entering any private information.
Regular Backups: Data Backup: Frequently back up critical data to an independent storage device or a cloud service to minimize potential data loss in the event of a malware attack.
Firewall Configuration: Network Protection: Employ a firewall to regulate both incoming and outgoing network traffic, thereby blocking unauthorized access and enhancing network security.
User Privileges: Least Privilege Principle: Instead of an administrator account, operate using a regular user account to limit the potential impact of malware on system operations. Separate Accounts: Maintain distinct accounts for routine activities and administrative tasks to mitigate the risk of unauthorized privilege escalation.
Education and Awareness: Phishing Awareness: Stay informed about common phishing tactics and social engineering tactics to diminish the possibility of falling victim to such attacks. Ongoing Training: Continuously engage in training and educational resources to remain updated on the latest security threats and best practices.

By adopting these best practices, users can significantly bolster their defenses against malware infections and other security threats, enhancing overall system security and integrity.