Cybercriminals have been spotted deploying a new strain of malware that completely removes any antivirus programs victims have installed on their endpoints and then infects them with ransomware.
Researchers at Sophos reported that they have found a new utility designed to kill EDRs (Endpoint Detection and Response). They named the utility EDRKillShifter.
The tool was used by a ransomware group called RansomHub, but Sophos claims, “with moderate certainty,” that it is being used by multiple attackers. This could mean it was developed by a third party and is possibly being offered for sale (or rent) on the dark web.
EDRKillShifter
In the case analyzed by Sophos, the group attempted to use EDRKillShifter to terminate Sophos protection on the target computer, but the tool failed. As a result, the encryptor also failed, and the entire attempt was aborted.
In his analysis of EDRKillShifterSophos describes it as a loader that drops a legitimate, but vulnerable driver. Again, this isn’t exactly a new practice, as “Bring Your Own Vulnerable Driver” attacks have been around for years. In these attacks, the crooks would drop an older version of a driver on the target machine, which the operating system accepts.
They then exploit the holes in the driver to spread malware.
EDRKillShifter was said to deliver different driver payloads depending on the threat actor’s requirements.
To defend against this threat, Sophos advises users to ensure that their endpoint security products implement and enable tamper protection. Additionally, organizations should implement “strong hygiene” for Windows security roles, as the attack is only possible if the attacker elevates privileges that they control, or if they can gain administrative rights. Finally, organizations should keep their systems up to date, as Microsoft has recently begun decertifying old signed drivers.