Ransomware gangs introduce new EDR killing tool

Sophos researchers have discovered a new tool called EDRKillShifter that malicious actors are using to target Endpoint Detection and Response (EDR) systems.

The discovery came after an unsuccessful ransomware attack in May. Threat actors used the tool to disable endpoint protection software and execute the notorious RansomHub ransomware. The attack failed when Sophos' protection systems detected and blocked the ransomware.

According to Sophos, this tool represents a significant evolution in malware targeting EDR systems as more organizations invest in these technologies to protect themselves from cyber threats.

Since 2022, Sophos has observed a rise in malware aimed at disabling EDR systems. Tools like AuKill are already being sold on criminal marketplaces, and Sophos is “moderately confident” that several malefactors are using this new tool in their attacks.

How it works

EDRKillShifter acts as a “loader” executable and delivers a legitimate but vulnerable driver to compromise the target system. This technique is called “Bring Your Own Vulnerable Driver” (BYOVD). The tool can deliver multiple driver payloads depending on the threat actor's needs.

The execution process involves three steps. First, the attacker runs EDRKillShifter with a command-line password, which decrypts an embedded resource and loads it into memory. The final payload, written in the Go programming language, exploits a vulnerable driver to gain the necessary privileges to disable the protection of an EDR tool.

Sophos' analysis shows that the malware author most likely compiled the executable on a computer with Russian localization settings. The executable, named “Loader.exe”, requires a unique 64-character password to run. If the password is incorrect, the loader will not work.

Complexity levels

EDRKillShifter also uses self-modifying code, making it difficult for researchers to analyze. The malware's second layer changes its instructions during runtime, which requires special analysis tools. This obfuscation technique hides important information such as strings, Go version details, and package paths, making reverse engineering even more difficult.

Sophos' research has identified several variants of EDRKillShifter, all of which have different vulnerable drivers in their code. While the final payloads vary, the overall behavior remains the same. Once executed, the malware gains the necessary permissions to load a driver and drop a vulnerable system file in the system's temporary folder.

The malware then starts a service for the driver and enters an infinite loop, killing processes that match a hard-coded list of targets. Both variants analyzed by the security giant abuse legitimate but vulnerable drivers and use proof-of-concept exploits available on platforms like GitHub, mirroring trends seen with other EDR killing tools like Terminator.

Sophos researchers also suspect that EDRKillShifter may be part of a larger darknet market where loaders and obfuscators are sold to malicious actors.

Mitigation and defense strategies

Sophos detects EDRKillShifter as Troj/KillAV-KG and states that it has implemented behavior-based protection rules to block system calls associated with this malware.

Sophos X-Ops recommends companies and individuals:

• Activate tamper protection on their endpoint security products, providing an additional layer of defense against these attacks.
• Maintain strict Windows security hygieneincluding restricting administrative privileges to reduce the risk of cybercriminals gaining expanded access rights.
• Keep your systems up to date to ensure that signed drivers known to have vulnerabilities are no longer valid.

As malicious actors develop increasingly sophisticated and complex tools, organizations must remain vigilant and implement robust cybersecurity measures to protect against these evolving threats.