Cybercriminals have been detected using a new malware designed to completely remove any antivirus software that the victim may have installed on their terminal device and infect it with ransomware.
Sophos researchers have reported finding a new utility tool designed to remove EDR (Endpoint Detection and Response), which they have named EDRKillShifter.
The tool was used by a ransomware group known as RansomHub, but Sophos says, “with some confidence,” that it is being used by multiple attackers. This could mean that it was developed by a third party and possibly offered for sale (or rent) on the dark web.
Changing the EDRKill battery
In the case analyzed by Sophos, the group attempted to use EDRKillShifter to terminate Sophos protection on the attacked computer, but the tool failed. As a result, the encryptor also failed and the attempt was abandoned.
In its analysis of EDRKillShifter, Sophos describes it as a loader that installs a legitimate, but vulnerable, driver. This isn't exactly a new practice either, as “Bring Your Own Vulnerable Driver” attacks have been around for years. In these attacks, criminals install an older version of a driver on the target machine, which the operating system accepts.
They then abuse the holes found in that driver to deploy malware.
Depending on the threat actor's requirements, EDRKillShifter reportedly delivers a variety of different driver payloads.
To defend against this threat, Sophos suggests users check whether their endpoint security products implement and enable tamper protection. Additionally, businesses should practice “strict hygiene” for Windows security roles, as the attack is only possible if the attacker escalates the privileges they control or can gain administrator rights. Lastly, businesses should keep their systems up to date, as Microsoft has recently started decertifying older signed drivers.
