RansomHub Have A Tool That Neutralises EDR

Uploaded on 2024-08-27 in TECHNOLOGY--Developments, NEWS-Cybersecurity News, FREE TO VIEW

A cyber crime group with links to the RansomHub ransomware group has been detected using a new tool designed to terminate Endpoint Detection and Response (EDR) software on compromised hosts, joining a number of other similar programs like AuKill and Terminator.   

The EDR-killing utility has been dubbed EDRKillShifter by researchers at cyber security company Sophos, which first discovered the tool in connection with a failed ransomware attack in May 2024.

The EDRKillShifter tool is a loader executable used to deliver vulnerable drivers that can be exploited by attackers and operates in three stages:  

  • The BIN code then unpacks and runs a final Go-written payload, which exploits a vulnerable legitimate driver to disable EDR (Endpoint Detection and Response) protection.
  • The attacker runs EDRKillShifter with a command line password.
  • The tool decrypts and executes an embedded resource named BIN in memory.

RansomHub, which is a suspected rebrand of the Knight ransomware, surfaced in February 2024, exploiting known security flaws to obtain initial access and drop legitimate remote desktop software such as Atera and Splashtop for persistent access.

Microsoft have reported  that the notorious e-crime syndicate known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its toolkit.

Executed via command-line along with a password string input, the executable decrypts an embedded resource named BIN and executes it in memory. The BIN resource unpacks and runs a Go-based final, obfuscated payload, which then takes advantage of different vulnerable, legitimate drivers to gain elevated privileges and disarm EDR software.

To mitigate the threat, it's recommended to keep systems up-to-date, enable tamper protection in EDR software, and practice strong hygiene for Windows security roles.

The development comes as threat actors have been observed delivering a new stealthy malware called SbaProxy by modifying legitimate antivirus binaries from BitDefender, Malwarebytes and Sophos, signing the files with counterfeit certificates in order to establish proxy connections through a command-and-control (C2) server as part of an ongoing campaign.  SbaProxy is engineered to set up a proxy connection between the client and the target such that it routes the traffic through the C2 server and the infected machine. The malware only supports TCP connections. Sophos antimalware currently detects EDRKillShifter as Troj/KillAV-KG. Furthermore, behavioral protection rules that protect against defense evasion and privilege escalation block these system calls from going through. 

To defend against such threats organisations are recommended to enable tamper protection on their endpoint security product to safeguard against certain types of attacks.

Additionally, maintaining strong Windows security practices, such as separating user and admin privileges, can prevent attackers from escalating privileges and loading drivers. Since last year, Microsoft has begun to push updates that automatically decertify signed drivers known to have been abused in the past.  

Sophos strongly avises that users  check whether their endpoint security product implements and enables tamper protection. This feature provides a strong layer against such type of attacks. They also recommend strong hygiene for Windows security roles.

This attack is only possible if the attacker escalates privileges they control, or if they can obtain administrator rights. Separation between user and admin privileges can help prevent attackers from easily loading drivers. Keep your system updated.

AlienVault   |    Sophos   |    LevelBlue   |    Hacker News   |   SCMagazine   |    Security Affairs   |   @Shah_Sheik

Cybersecurity-help 

Image:  stuartmiles99

You Might Also Read: 

Threat Intelligence: Most Prevalent Malware Rankings:

If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Telegram Messaging Platform Founder Arrested
California's Controversial AI Bill Will Soon Be Law »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IX Associates

IX Associates

IX Associates is a UK based IT Integration business specialising in risk, compliance, eDefence, and network security solutions.

Nmap Project

Nmap Project

Nmap Project is a Free and open source tool for network discovery, administration, and security auditing.

Wilson Sonsini Goodrich & Rosati (WSGR)

Wilson Sonsini Goodrich & Rosati (WSGR)

WSGR is the premier provider of legal services to technology, life sciences, and growth enterprises worldwide. Practice areas include cybersecurity and data protection.

Vera Security

Vera Security

Vera is a data security platform that provides 360-degree visibility and control over critical business data, anywhere it's shared or stored.

ABB

ABB

ABB is a pioneering technology leader in industrial digitalization. Services include cyber security for industrial control systems IoT.

Greenbone Networks

Greenbone Networks

Greenbone Networks delivers a vulnerability analysis solution for enterprise IT which includes reporting and security change management.

Network Integrity Systems

Network Integrity Systems

Network Integrity Systems is a leader in network infrastructure security and offers solutions specifically developed for Government and Private Enterprise.

SEON Technologies

SEON Technologies

At SEON we strive to help online businesses reduce the costs, time, and challenges faced due to fraud.

eXate

eXate

eXate provides pioneering technology that empowers organisations to protect, control and manage their sensitive data centrally, providing a complete data privacy solution.

Squad

Squad

Squad provides leading expertise to ensure protection against the most complex cyber threats. Combining the best practices of DevOps and Cybersecurity, we are committed to create a secured cyber space

UST

UST

UST is a global provider of digital technology and transformation, IT services and solutions including managed security services.

NASK SA

NASK SA

NASK SA is an integrator of telecommunications services. We provide advanced ICT security services, collocation and hosting, data centre services, and build corporate networks.

Cycurion

Cycurion

Cycurion is a global leading provider of Network Communications and Information Technology Security Solutions.

Cranium

Cranium

AI is being implemented into every business process, but nobody knows whether their AI is secure. Our mission is to deliver security and trust to the AI revolution.

ResilientX

ResilientX

ResilientX is an All-In-One Security Testing Platform designed to help MSPs and SMBs to perform their security testing and assessments without having to outsource IT.

Leaf IT

Leaf IT

Leaf IT are a pioneering cloud-first MSP, dedicated to helping businesses in the UK and Ireland. We focus on delivering tangible results for our clients through IT transformation.