Details of the Story
As reported by Bleeping Computer, the notorious RansomHub ransomware operators have begun deploying a new and sophisticated malware, dubbed “EDRKillShifter,” designed to disable Endpoint Detection and Response (EDR) security software through Bring Your Own Vulnerable Driver (BYOVD) attacks. This latest development highlights the increasing sophistication of ransomware tactics and the ongoing threat to cybersecurity defenses.
Discovered by Sophos security researchers during a May 2024 ransomware investigation, EDRKillShifter operates by deploying a legitimate but vulnerable driver on targeted devices. This allows the malware to escalate privileges, disable security solutions, and ultimately take control of the system. The technique, which has gained popularity among various threat actors, is utilized by financially motivated ransomware gangs and state-backed hacking groups alike.
In the course of their investigation, Sophos researchers uncovered two different samples of EDRKillShifter. Both samples exploited vulnerabilities in drivers, with proof-of-concept exploits available on GitHub. One sample targeted a driver known as RentDrv2, while the other exploited a driver called ThreatFireMonitor, a component of a deprecated system-monitoring package.
EDRKillShifter is particularly versatile, capable of delivering various driver payloads based on the attackers’ needs. Notably, the malware’s language property suggests that it was compiled on a computer with Russian localization, pointing to a possible origin.
The malware’s execution process is complex and involves several steps. First, the attacker launches the EDRKillShifter binary with a password string, which decrypts and executes an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which drops and exploits a vulnerable, legitimate driver to escalate privileges and disable active EDR processes and services. The malware then creates a new service for the driver, starts the service, and loads the driver. It enters an endless loop that continuously enumerates running processes, terminating those that appear on a hardcoded list of targets.
Sophos recommends several measures to mitigate the risk posed by EDRKillShifter and similar malware. These include enabling tamper protection in endpoint security products, maintaining a clear separation between user and admin privileges to prevent attackers from loading vulnerable drivers, and keeping systems updated, as Microsoft continues to de-certify signed drivers known to have been misused in previous attacks.
This is not the first time Sophos has encountered malware designed to disable EDR systems. Last year, the company spotted another EDR-killing malware, dubbed AuKill, which exploited a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks. AuKill bears similarities to an open-source tool known as Backstab, which also targets a vulnerable Process Explorer driver and has been used by the LockBit gang in at least one observed attack.
As ransomware operators continue to evolve their tactics, the deployment of EDRKillShifter underscores the need for robust and adaptive security measures to protect against increasingly sophisticated threats.
