A new endpoint detection and response (EDR) killer is considered to be the development of ‘Edrkillshifter’ developed by Ransomhub, seen in attacks by eight separate ransomware gangs.
Such tools help ransomware operators to close security products on the system violated so that they can deploy payload, increase privileges, attempt lateral movement, and eventually encry the equipment on the network.
According to Sophos Safety Researchers, the new tool, which was not given a specific name, is used by Ransomheb, BlackSit, Medusa, Kilin, Dragonforce, Christox, Links and Ink.
The new EDR killer tool uses a heavy unpleasant binary that is self-dikoded in runtime and is injected into legitimate applications.
The device searches for the driver digitally signed (stolen or finished certificate) with a random five-caste name, which is hardcoded in executable.
Source: Sophos
If found, the malicious driver is loaded into the kernel, as is required to obtain the ‘your own weak driver’ (byvd) attack and the necessary kernel privileges required to close security products.
The driver mascred as a valid file such as the crudestrich Falcon sensor driver, but once active, it kills AV/EDR-related procedures and prevents services associated with safety equipment.
Targeted vendors include sofos, microsoft defender, Kasperki, Cementc, Trend Micro, Sentinelone, Kilence, McAfi, F-Sixel, Hitmanpro and Webrot.
Although the variants of the new EDR killer tool differ in the drivers names, targets AVS, and form the characteristics, they all use heartcript for packing, and evidence suggests that there is also to share knowledge and equipment among groups of danger.
Sophos especially notes that it is unlikely that the device was leaked and was then reused by other danger actors, but has been developed through a shared and collaborative structure.
“To be clear, it is not that a single binary leak of the EDR killer was leaked and it was shared between the actors of danger. Instead, each attack used a separate construction of the ownership equipment,” Explained to sophos,
This strategy to share equipment, especially in the concerns of EDR assassins, is common in ransomware space.
In addition to Edrkillshifter, Sofos also discovered another tool called Aukill, which was used by Medusa locker and lockbit in attacks.
Sentinelon also stated about Fin7 hackers last year that many ranges and sales sell their customs to many ranges and locks, including Blackbasta, Avosalcker, Blackcat, Trigona and Lockbit.
This new EDR killer is full indicators of the agreement related to the tool This github is available on repository,
Malware targeting password stores increased 3x as the attackers secretly carried out the perfect history landscape, infiltrated and exploited important systems.
Search for the top 10 Metter Att & CK techniques behind the 93% attacks and how to defend them.
