A cybercrime group associated with the RansomHub ransomware has been observed using a newly developed tool named “EDRKillShifter” to disable endpoint detection and response (EDR) software on compromised systems. This tool is the latest in a growing list of EDR-killing utilities used by threat actors to facilitate their malicious activities. Review this Cybersecurity Threat Advisory to learn more and what steps to defend against driver abuse.
What is the threat?
EDRKillShifter is a sophisticated piece of malware designed to disable EDR systems. Once disabled, threat actors can carryout malicious activities such as deploying ransomware attacks undetected. The threat operates using a method known as “Bring Your Own Vulnerable Driver” (BYOVD), where attackers exploit legitimate drivers with known vulnerabilities to escalate privileges and disable security protections.
The attack begins when attackers execute a specific command-line password on a compromised system. This password decrypts an embedded resource known as BIN, which then executes in memory. The decrypted BIN resource unpacks and loads a final payload written in the Go programming language. This payload is specifically designed to exploit a vulnerable driver that is included within the malware itself. The driver is used to gain elevated privileges on the system, which allows the malware to disable or bypass EDR processes.
Once the driver is loaded, EDRKillShifter uses self-modifying code to obfuscate its instructions during runtime, making it difficult to analyze or detect. The malware then enters an endless loop, continuously scanning for and terminating processes associated with EDR software based on a hardcoded list of targets. The combination of BYOVD techniques and self-modifying code makes EDRKillShifter a highly effective tool for evading detection and disabling security measures.
Why is it noteworthy?
The introduction of EDRKillShifter highlights the ongoing evolution and sophistication of ransomware groups. By disabling EDR systems, attackers can significantly increase the likelihood of a successful ransomware deployment, which can have devastating consequences for targeted organizations. Moreover, the tool’s use of legitimate drivers to bypass security measures exemplifies the growing trend of attackers leveraging existing software vulnerabilities, making it harder for security teams to defend against such threats.
What is the exposure or risk?
Organizations that rely on EDR solutions face significant risk if attackers use this tool against them. Once they disable it, attackers can operate with little to no detection. This can lead to potentially catastrophic outcomes such as data encryption, theft, and extortion. The tool’s ability to exploit a variety of drivers increases the risk, making a broad range of systems vulnerable to attack.
What are the recommendations?
Barracuda MSP strongly recommends organizations to take these additional steps to defend their machines against driver abuse:
- Enable tamper protection features in all EDR solutions to prevent unauthorized modifications or disabling of security tools.
- Limit administrative privileges across the organization to reduce the risk of attackers escalating their privileges through compromised accounts.
- Update all software, including drivers, to patch known vulnerabilities that tools like EDRKillShifter could exploit.
How can Barracuda XDR assist?
Barracuda XDR offers a comprehensive Managed Endpoint Security Service that is well-equipped to counter threats like EDRKillShifter. By purchasing this service, organizations can benefit from robust endpoint protection that includes Anti-Tampering features by default. This critical feature ensures that even advanced threats struggle to disable security defenses without detection.
Furthermore, Barracuda XDR can trigger alerts if someone disables Anti-Tampering at the policy level. This adds an extra layer of security and addresses any attempts to undermine endpoint protection promptly. Additionally, our endpoint security experts rigorously test new releases of our EDR tools to prevent any interoperability issues before deployment. We ensure that our customers receive the most reliable and secure solutions available, keeping them protected at all times.
This proactive approach, combined with continuous monitoring and expert support, makes Barracuda XDR an invaluable partner in defending against sophisticated threats like those posed by EDRKillShifter.
Reference:
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
