Cybercrime group disables EDR software to launch RansomHub ransomware

A New EDR-Killing Tool Discovered in Ransomware Attack

A new utility designed to terminate endpoint detection and response (EDR) tools was observed being deployed by an undetermined criminal group in an attempt to attack an organization with RansomHub ransomware.

This news caused concern among security professionals because RansomHub was used in many prominent attacks, most notably Change Healthcare, Frontier Communications, and Christie’s auction house.

Sophos Researchers Discover EDRKillShifter

In an Aug. 14 blog post, Sophos researchers said the EDR-killing tool they dubbed “EDRKillShifter,” attempted to use the utility to terminate Sophos protection on a targeted computer, but failed.

The researchers said they discovered EDERKillShifter in a post-mortem analysis. They also pointed out that since 2022, they have seen an increase in the sophistication of malware designed to disable EDR systems. Sophos said it previously published research on AuKill, an EDR-killer tool their team discovered last year that was being sold on criminal marketplaces.

Sophistication of the Criminal Group

Craig Jones, vice president of security operations at Ontinue, said from what he can gather, the cybercriminal group behind this operation remains unidentified, but its use of RansomHub suggests they’re experienced and determined. Jones added that the fact that they’re employing this new tool and designed it specifically to disable EDR software is a clear indicator of their sophistication.

Jones explained that EDRKillShifter fits into a broader category of tools known as Bring Your Own Vulnerable Driver (BYOVD). In BYOVD, an attacker leverages a legitimately signed, but vulnerable driver to undermine security mechanisms.

Jones said essentially they tried to take advantage of a flaw in an existing driver, one that was already trusted by the system, to shut down the EDR software without raising red flags. In 2022, the Lazarus Group exploited a flaw in a Dell driver in a similar fashion, highlighting the effectiveness and danger of this technique.

The Danger of EDR Disabling

“The danger here is significant,” said Jones. “Once EDR is out of the picture, these attackers can operate on compromised systems with much less risk of being detected, giving them a wider window to deploy ransomware or other malicious payloads.”

Evan Dornbush, a former NSA cybersecurity expert, explained that many EDR tools operate from a special context within the operating system that gives them near total observability into processes using file or network resources accessible to the system. As a result, Dornbush said programs operating from a lesser context cannot typically interfere with these EDR products. However, drivers often operate with permissions that would make it feasible to interfere with EDR products.

“So one technique an adversary can take is to exploit a driver and then assume those permissions, making direct access to the EDR achievable,” said Dornbush. “From a tactical level, an adversary operating from a lower context can install a known-vulnerable driver to the Windows operating system and then exploit it to assume greater access on par with the EDR.”

Importance of Tight Controls on Drivers

John Bambenek, president at Bambenek Consulting, pointed out that because the tool was sold on the dark web, presumably other groups can purchase it as well.

“Threat actors trying to kill EDR agents on systems before going further in their chain of attacks is not news,” said Bambenek. “However, security teams should keep tight controls on drivers being installed to avoid this tool.”

SDGs, Targets, and Indicators

Source: scmagazine.com