HQ/EMEAFind out how we can help your business
The RansomHub ransomware operators are now using the new EDRKillShifter malware to disable Endpoint Detection and Response (EDR) protection products in a new Bring Your Own Vulnerable Driver (BYOVD) campaign.
Researchers discovered this malware last May and explained that it uses a legal, vulnerable driver on targeted machines to increase its privileges, deactivate security measures, and take over targeted systems.
Various threat actors, including financially driven ransomware gangs and state-sponsored hacking groups, have widely utilised this tactic. These actors also attempted to start the ransomware executable on the system they controlled, but this strategy failed when the endpoint agent’s security function was activated.
Researchers also uncovered two samples while investigating, with proof-of-concept exploits available. They revealed that the first one uses a vulnerable driver known as RentDrv2, and the other exploits ThreatFireMonitor, a deprecated system monitoring package component.
EDRKillShifter could deliver different payloads depending on the operators’ liking.
The EDRKillShifter could deliver various driver payloads depending on the attacker’s requirements, and the malware’s language property indicates that it was written on a computer with Russian localisation.
Additionally, the investigation revealed that the loader executes in three steps. The first step is when the attackers launch the EDRKillShifter binary using a password string to decrypt and execute an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which drops and exploits a flawed legal driver to escalate privileges and deactivate active EDR processes and services.
After the malware establishes a new service for the driver, initiates it, and runs it, it enters an infinite loop that identifies the running processes and terminates them if their names appear in a hardcoded list of targets.
The researchers also noted that both variants use genuine drivers and proof-of-concept exploits that are accessible on GitHub. Hence, they suspect that the threat actors copied and modified elements of these PoC before porting the code to Go.
Experts suggest that users enable tamper protection in endpoint security products, separating them from admin privileges to prevent attackers from loading vulnerable drivers. This technique could also update their systems since Microsoft continues de-certifying signed drivers misused in previous attacks.
