Sophos researchers have documented EDRKillShifter, a BYOVD (Bring Your Own Vulnerable Driver) tool deployed by RansomHub ransomware operators to disable EDR solutions before payload deployment. The tool exploits two specific vulnerable drivers — RentDrv2 and ThreatFireMonitor — which are signed legitimate drivers that can be exploited to escalate privileges and terminate security processes.
How EDRKillShifter Operates: Three-Stage BYOVD Attack
EDRKillShifter executes in three stages:
- Initial Execution: The attacker launches the EDRKillShifter binary with a decryption password, which then decrypts and executes an embedded resource named “BIN” in memory.
- Payload Unpacking: The decrypted code unpacks and executes the final payload.
- Privilege Escalation and EDR Disabling: The payload loads a vulnerable legitimate driver to elevate privileges and disable active EDR processes and services on the victim’s system.
Vulnerable Drivers Used: RentDrv2 and ThreatFireMonitor
Sophos researchers identified two distinct malware samples utilizing proof-of-concept exploits available on GitHub. One sample exploited the vulnerable RentDrv2 driver, while the other targeted the ThreatFireMonitor driver, a component of an outdated system monitoring package. This approach of leveraging legitimate but vulnerable drivers is a hallmark of BYOVD attacks, making detection and prevention more challenging for security solutions.
Continuous Process Termination
After successfully loading the vulnerable driver, EDRKillShifter enters an infinite loop, continuously scanning running processes and terminating those listed in its hardcoded target list. This aggressive approach ensures that security processes remain disabled, providing the attackers with prolonged access to the compromised system.
Why Signed Drivers Are Exploitable: The BYOVD Attack Pattern
A signed driver being exploited does not mean the signature is invalid — it means the driver contains a code vulnerability that can be triggered from user mode to gain kernel privileges. Microsoft maintains a Vulnerable Driver Blocklist updated via Windows Defender, but there is typically a lag between public disclosure of a driver vulnerability and its addition to the blocklist.
Mitigation Strategies
To protect against EDRKillShifter and similar BYOVD attacks, Sophos recommends the following measures:
- Enable tamper protection features in endpoint security products
- Implement strict user and administrator rights segregation to prevent unauthorized driver loading
- Keep systems up-to-date, as Microsoft regularly revokes signatures for drivers known to be exploited in attacks
- Employ application whitelisting and other advanced security controls to prevent the execution of unknown binaries
