RansomHub Have A Tool That Neutralises EDR

A cyber crime group with links to the RansomHub ransomware group has been detected using a new tool designed to terminate Endpoint Detection and Response (EDR) software on compromised hosts, joining a number of other similar programs like AuKill and Terminator.   

The EDR-killing utility has been dubbed EDRKillShifter by researchers at cyber security company Sophos, which first discovered the tool in connection with a failed ransomware attack in May 2024.

The EDRKillShifter tool is a loader executable used to deliver vulnerable drivers that can be exploited by attackers and operates in three stages:  

  • The BIN code then unpacks and runs a final Go-written payload, which exploits a vulnerable legitimate driver to disable EDR (Endpoint Detection and Response) protection.
  • The attacker runs EDRKillShifter with a command line password.
  • The tool decrypts and executes an embedded resource named BIN in memory.

RansomHub, which is a suspected rebrand of the Knight ransomware, surfaced in February 2024, exploiting known security flaws to obtain initial access and drop legitimate remote desktop software such as Atera and Splashtop for persistent access.

Microsoft have reported  that the notorious e-crime syndicate known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its toolkit.

Executed via command-line along with a password string input, the executable decrypts an embedded resource named BIN and executes it in memory. The BIN resource unpacks and runs a Go-based final, obfuscated payload, which then takes advantage of different vulnerable, legitimate drivers to gain elevated privileges and disarm EDR software.

To mitigate the threat, it's recommended to keep systems up-to-date, enable tamper protection in EDR software, and practice strong hygiene for Windows security roles.

The development comes as threat actors have been observed delivering a new stealthy malware called SbaProxy by modifying legitimate antivirus binaries from BitDefender, Malwarebytes and Sophos, signing the files with counterfeit certificates in order to establish proxy connections through a command-and-control (C2) server as part of an ongoing campaign.  SbaProxy is engineered to set up a proxy connection between the client and the target such that it routes the traffic through the C2 server and the infected machine. The malware only supports TCP connections. Sophos antimalware currently detects EDRKillShifter as Troj/KillAV-KG. Furthermore, behavioral protection rules that protect against defense evasion and privilege escalation block these system calls from going through. 

To defend against such threats organisations are recommended to enable tamper protection on their endpoint security product to safeguard against certain types of attacks.

Additionally, maintaining strong Windows security practices, such as separating user and admin privileges, can prevent attackers from escalating privileges and loading drivers. Since last year, Microsoft has begun to push updates that automatically decertify signed drivers known to have been abused in the past.  

Sophos strongly avises that users  check whether their endpoint security product implements and enables tamper protection. This feature provides a strong layer against such type of attacks. They also recommend strong hygiene for Windows security roles.

This attack is only possible if the attacker escalates privileges they control, or if they can obtain administrator rights. Separation between user and admin privileges can help prevent attackers from easily loading drivers. Keep your system updated.

AlienVault   |    Sophos   |    LevelBlue   |    Hacker News   |   SCMagazine   |    Security Affairs   |   @Shah_Sheik

Cybersecurity-help 

Image:  stuartmiles99

You Might Also Read: 

Threat Intelligence: Most Prevalent Malware Rankings:


If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Telegram Messaging Platform Founder Arrested
California's Controversial AI Bill Will Soon Be Law »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigiCert

DigiCert

DigiCert is the only provider of enterprise-grade SSL, IoT and PKI solutions. Our certificates are trusted everywhere, millions of times every day, by companies across the globe.

Arsenal Recon

Arsenal Recon

Arsenal Recon are digital forensics experts, providing consultancy services and powerful software tools to improve the analysis of electronic evidence.

Secudos

Secudos

SECUDOS is an innovative appliance technology and services provider focused on IT security and compliance.

Wipro

Wipro

Wipro Limited is a leading global information technology, consulting and business process services company.

Axcient

Axcient

Axcient offers MSPs the most secure backup and disaster recovery technology stack with a proven Business Availability suite.

IntaPeople

IntaPeople

IntaPeople are IT and engineering recruitment specialists. We have specialist teams for job sectors including Cybersecurity, IT infrastructure and DevOps.

Cyemptive Technologies

Cyemptive Technologies

Cyemptive's CyberSlice technology preempts and remove threats before they take hold, in seconds, compared to other’s hours, days, weeks and even months.

doIT Solutions

doIT Solutions

doIT solutions specialize in IT security and infrastructure, security automation, data center, and cybersecurity.

Symmetry Systems

Symmetry Systems

Symmetry Systems is a provider of data store and object-level security (DSOS) solutions that give organizations visibility into, and unified access control of, their most valuable data assets.

BlackFog

BlackFog

BlackFog is a leader in device data privacy, data security and ransomware prevention. Our behavioral analysis and anti data exfiltration technology stops hackers before they even get started.

HACKNER Security Intelligence

HACKNER Security Intelligence

HACKNER Security Intelligence is an independent security consultancy delivering comprehensive security assessments across IT security, physical security, and social engineering.

BluescreenIT (BIT)

BluescreenIT (BIT)

BluescreenIT is an IT Security Consultancy and IT and Cyber Security Training company supporting industry, local authorities, MoD and governmental IT departments.

SecureStream Technologies

SecureStream Technologies

SecureStream Technologies have built the IoT SafetyNet - the Network Security Analytics platform to Eliminate Security Threats, Guarantee Privacy, Ensure Compliance, Simply & Easily.

Quantum eMotion (QeM)

Quantum eMotion (QeM)

Quantum eMotion is a Montreal-based advanced developer leading the way towards a new generation of quantum-safe encryption for the quantum computing age.

ThrottleNet

ThrottleNet

ThrottleNet provides world-class managed IT services and cybersecurity to organizations in St. Louis and throughout Missouri.

Defimoon

Defimoon

DeFimoon is the International Blockchain Development & Security Agency. We provide professional services and solutions at the highest quality on world-leading chains.