New Malware Developed | Neuways | Cyber Threats – Technologist

The RansomHub ransomware group has introduced a new malware developed and designed to disable Endpoint Detection and Response (EDR) security software through Bring Your Own Vulnerable Driver (BYOVD) attacks.

New Malware Developed

Identified as “EDRKillShifter” by security researchers during a ransomware investigation in May 2024, this malware leverages a legitimate but vulnerable driver on targeted devices to escalate privileges, turn off security solutions, and seize control of the system.

This tactic, popular among various threat actors—including financially motivated ransomware groups and state-sponsored hackers—poses a significant threat to enterprise security.

What happened in the Cyber Attack?

During the May incident, the attackers attempted to use EDRKillShifter to turn off Sophos protection on a compromised machine. Although the tool failed, Sophos threat researcher Andreas Klopsch noted that the attackers tried to execute the ransomware payload, which was also thwarted by the endpoint agent’s CryptoGuard feature.

Sophos’ investigation revealed two distinct samples of the malware, both exploiting known vulnerabilities in drivers. One sample targeted a driver known as RentDrv2, while the other exploited ThreatFireMonitor, an outdated system-monitoring tool component. These exploits were based on proof-of-concept code available on GitHub.

EDRKillShifter can deploy various driver payloads depending on the attackers’ objectives. Analysis suggests the malware was compiled on a system with Russian localisation, indicating possible origins.

How did the cyber criminals execute the cyber attack?

The execution of EDRKillShifter involves a three-step process:

1. The attacker launches the EDRKillShifter binary with a password to decrypt and execute an embedded resource named BIN in memory.
2. This code then unpacks and executes the final payload, which deploys and exploits a vulnerable driver.
3. The driver is used to escalate privileges and turn off active EDR processes and services.

Once the malware creates and starts a new service for the driver, it enters a continuous loop, enumerating running processes and terminating any that match a hardcoded list of targets.

Klopsch also highlighted that both variants of EDRKillShifter exploit legitimate, though vulnerable, drivers using modified proof-of-concept exploits published initially on GitHub and ported to the Go programming language.

Recommendations on protecting your organisation from this type of Cyber Attack

It is recommended that several mitigation strategies are implemented to protect against such attacks, which can be undertaken by your cyber security provider, and they will often conduct this process anyway:

• Enable tamper protection in endpoint security products.
• Maintain a strict separation between user and administrative privileges to prevent attackers from loading vulnerable drivers.
• Keep systems updated, as Microsoft regularly de-certifies signed drivers known to have been misused in previous attacks.

This is not the first time EDR-killing malware has been detected. Last year, Sophos identified “AuKill,” a similar tool that exploited a vulnerable Process Explorer driver in ransomware attacks associated with Medusa Locker and LockBit. AuKill shares similarities with an open-source tool called Backstab, which has also been linked to LockBit operations.