A new utility designed to terminate endpoint detection and response (EDR) tools was observed being deployed by an undetermined criminal group in an attempt to attack an organization with RansomHub ransomware.
This news caused concern among security pros because RansomHub was used in many prominent attacks, most notably Change Healthcare, Frontier Communications, and Christie’s auction house.
In an Aug. 14 blog post, Sophos researchers said the EDR-killing tool they dubbed "EDRKillShifter," attempted to use the utility to terminate Sophos protection on a targeted computer, but failed.
The researchers said they discovered EDERKillShifter in a post-mortem analysis. They also pointed out that since 2022, they have seen an increase an increase in the sophistication of malware designed to disable EDR systems. Sophos said it previously published research on AuKill, an EDR-killer tool they team discovered last year that was being sold on criminal marketplaces.
Craig Jones, vice president of security operations at Ontinue, said from what he can gather, the cybercriminal group behind this operation remains unidentified, but its use of RansomHub suggests they're experienced and determined. Jones added that the fact that they're employing this new tool and designed it specifically to disable EDR software is a clear indicator of their sophistication.
Jones explained that EDRKillShifter fits into a broader category of tools known as Bring Your Own Vulnerable Driver (BYOVD). In BYOVD, an attacker leverages a legitimately signed, but vulnerable driver to undermine security mechanisms.
Jones said essentially they tried to take advantage of a flaw in an existing driver, one that was already trusted by the system, to shut down the EDR software without raising red flags. In 2022, the Lazarus Group exploited a flaw in a Dell driver in a similar fashion, highlighting the effectiveness and danger of this technique.
“The danger here is significant,” said Jones. “Once EDR is out of the picture, these attackers can operate on compromised systems with much less risk of being detected, giving them a wider window to deploy ransomware or other malicious payloads.”
Evan Dornbush, a former NSA cybersecurity expert, explained that many EDR tools operate from a special context within the operating system that gives them near total observability into processes using file or network resources accessible to the system. As a result, Dornbush said programs operating from a lesser context cannot typically interfere with these EDR products. However, drivers often operate with permissions that would make it feasible to interfere with EDR products.
“So one technique an adversary can take is to exploit a driver and then assume those permissions, making direct access to the EDR achievable,” said Dornbush. “From a tactical level, an adversary operating from a lower context can install a known-vulnerable driver to the Windows operating system and then exploit it to assume greater access on par with the EDR.”
John Bambenek, president at Bambenek Consulting, pointed out that because the tool was sold on the dark web, presumably other groups can purchase, it as well.
“Threat actors trying to kill EDR agents on systems before going further in their chain of attacks is not news,” said Bambenek. “However, security teams should keep tight controls on drivers being installed to avoid this tool."
