Sophos X-OpsAug 15, 2024

When the threat actors behind the #RansomHub #ransomware want to attack a target, they go to some lengths to prevent EDR or endpoint protection software from ruining their day.

The latest blog from #Sophos #XOps investigates how they do that, using a tool we call #EDRKillShifter

https://news.sophos.com/en-us/edr-kill-shifter/

Ransomware attackers introduce new EDR killer to their arsenal

Sophos discovers the threat actors behind RansomHub ransomware using EDRKillShifter in attacks

Sophos News
Show threadSophos X-OpsAug 15, 2024
The #EDRKillShifter utility is a #malware loader designed to deploy one of several different exploitable, legitimate #BYOVD drivers and abuse them to kill a wide range of endpoint protection. We've observed it used in a few recent incidents, so we wanted to spotlight how it works. 2/
Show threadSophos X-Ops

Threat actors deploy the tool, then execute it using a password as a command line argument to the program.

They went to extraordinary lengths to conceal the function of the tool, even building in polymorphic code that modifies the next subroutine as it runs, revealing the next instruction only after the prior line of code executes. 3/

Aug 15, 2024 at 10:08pmWeb
Show threadSophos X-OpsAug 15, 2024

As it executes, #EDRKillShifter loads an embedded, encrypted resource into memory. That code extracts the next layer of tool, the abusable #BYOVD driver and a #Go binary.

It uses a SHA-256 hash of the initial password (used to execute the tool) as a decryption key for these second-layer payloads. 4/

Show threadSophos X-OpsAug 15, 2024

The two drivers we've seen abused are known in the industry as #BYOVD payloads. One is a file called RentDrv2 (hosted on https://github.com/keowu/BadRentdrv2) and the other is named ThreatFireMonitor (also on Github, with a proof of concept at https://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer).

No matter which driver gets used, #EDRKillShifter writes them out to the %temp% directory using a random 10-digit filename. 5/

GitHub - keowu/BadRentdrv2: A vulnerable driver exploited by me (BYOVD) that is capable of terminating several EDRs and antivirus software in the market, rendering them ineffective, working for both x32 and x64(CVE-2023-44976).

A vulnerable driver exploited by me (BYOVD) that is capable of terminating several EDRs and antivirus software in the market, rendering them ineffective, working for both x32 and x64(CVE-2023-44976...

GitHub
Show threadSophos X-OpsAug 15, 2024
While the #EDRKillShifter tool failed to work on machines in the field protected by our software, we did manage to get it to successfully run in a lab environment by disabling the tamper protection for Sophos endpoint protection tools. Only with tamper protection disabled was this tool able to kill a process we protected. 6/
Show threadSophos X-OpsAug 15, 2024
Selling loaders is a lucrative business on the Dark Web. Sophos X-Ops suspects that the loader might have been acquired on the dark net. We've seen a lot of tools with similar functionality advertised on the kinds of web forums criminals frequent. 7/
Show threadSophos X-OpsAug 15, 2024
But at least, in this case, we suspect we know where in the world this tool came from. The creator took great pains to conceal the code, but then left some revealing properties in the compiled executable, including one that indicates it was compiled on a computer with Russian localization settings. 8/
Show threadSophos X-OpsAug 15, 2024

Sophos currently detects EDRKillShifter as Troj/KillAV-KG. In addition, behavioral protection rules that protect against defense evasion and privilege escalation block these system calls from going through. #EDRKillShifter is a dud on boxes we protect. /end

https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/

Ransomware attackers introduce new EDR killer to their arsenal

Sophos discovers the threat actors behind RansomHub ransomware using EDRKillShifter in attacks

Sophos News