Cybersecurity experts have uncovered a new malicious tool called EDRKillShifter, employed by RansomHub ransomware operators to circumvent Endpoint Detection and Response (EDR) solutions. This sophisticated malware utilizes the increasingly prevalent Bring Your Own Vulnerable Driver (BYOVD) attack technique to elevate privileges, disable security measures, and seize control of target systems.
Anatomy of EDRKillShifter: A Three-Stage Attack
EDRKillShifter operates in three distinct stages, demonstrating a high level of complexity and evasion capabilities:
- Initial Execution: The attacker launches the EDRKillShifter binary with a decryption password, which then decrypts and executes an embedded resource named “BIN” in memory.
- Payload Unpacking: The decrypted code unpacks and executes the final payload.
- Privilege Escalation and EDR Disabling: The payload loads a vulnerable legitimate driver to elevate privileges and disable active EDR processes and services on the victim’s system.
Exploitation of Legitimate Drivers
Sophos researchers identified two distinct malware samples utilizing proof-of-concept exploits available on GitHub. One sample exploited the vulnerable RentDrv2 driver, while the other targeted the ThreatFireMonitor driver, a component of an outdated system monitoring package. This approach of leveraging legitimate but vulnerable drivers is a hallmark of BYOVD attacks, making detection and prevention more challenging for security solutions.
Continuous Process Termination
After successfully loading the vulnerable driver, EDRKillShifter enters an infinite loop, continuously scanning running processes and terminating those listed in its hardcoded target list. This aggressive approach ensures that security processes remain disabled, providing the attackers with prolonged access to the compromised system.
Implications for Cybersecurity
The emergence of EDRKillShifter highlights several critical points for cybersecurity professionals and organizations:
- The growing sophistication of ransomware operators and their tools
- The persistent threat posed by vulnerable drivers, even when signed and seemingly legitimate
- The importance of multi-layered security approaches that don’t rely solely on EDR solutions
Mitigation Strategies
To protect against EDRKillShifter and similar BYOVD attacks, Sophos recommends the following measures:
- Enable tamper protection features in endpoint security products
- Implement strict user and administrator rights segregation to prevent unauthorized driver loading
- Keep systems up-to-date, as Microsoft regularly revokes signatures for drivers known to be exploited in attacks
- Employ application whitelisting and other advanced security controls to prevent the execution of unknown binaries
The discovery of EDRKillShifter serves as a stark reminder of the ever-evolving threat landscape in cybersecurity. As attackers continue to develop more sophisticated tools and techniques, organizations must remain vigilant, continuously updating their security posture and adopting a proactive approach to threat detection and mitigation. By staying informed about emerging threats like EDRKillShifter and implementing robust security measures, businesses can better protect themselves against the growing menace of ransomware and other cyber attacks.
