RansomHub Have A Tool That Neutralises EDR

Uploaded on 2024-08-27 in TECHNOLOGY--Developments, NEWS-Cybersecurity News, FREE TO VIEW

A cyber crime group with links to the RansomHub ransomware group has been detected using a new tool designed to terminate Endpoint Detection and Response (EDR) software on compromised hosts, joining a number of other similar programs like AuKill and Terminator.   

The EDR-killing utility has been dubbed EDRKillShifter by researchers at cyber security company Sophos, which first discovered the tool in connection with a failed ransomware attack in May 2024.

The EDRKillShifter tool is a loader executable used to deliver vulnerable drivers that can be exploited by attackers and operates in three stages:  

  • The BIN code then unpacks and runs a final Go-written payload, which exploits a vulnerable legitimate driver to disable EDR (Endpoint Detection and Response) protection.
  • The attacker runs EDRKillShifter with a command line password.
  • The tool decrypts and executes an embedded resource named BIN in memory.

RansomHub, which is a suspected rebrand of the Knight ransomware, surfaced in February 2024, exploiting known security flaws to obtain initial access and drop legitimate remote desktop software such as Atera and Splashtop for persistent access.

Microsoft have reported  that the notorious e-crime syndicate known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its toolkit.

Executed via command-line along with a password string input, the executable decrypts an embedded resource named BIN and executes it in memory. The BIN resource unpacks and runs a Go-based final, obfuscated payload, which then takes advantage of different vulnerable, legitimate drivers to gain elevated privileges and disarm EDR software.

To mitigate the threat, it's recommended to keep systems up-to-date, enable tamper protection in EDR software, and practice strong hygiene for Windows security roles.

The development comes as threat actors have been observed delivering a new stealthy malware called SbaProxy by modifying legitimate antivirus binaries from BitDefender, Malwarebytes and Sophos, signing the files with counterfeit certificates in order to establish proxy connections through a command-and-control (C2) server as part of an ongoing campaign.  SbaProxy is engineered to set up a proxy connection between the client and the target such that it routes the traffic through the C2 server and the infected machine. The malware only supports TCP connections. Sophos antimalware currently detects EDRKillShifter as Troj/KillAV-KG. Furthermore, behavioral protection rules that protect against defense evasion and privilege escalation block these system calls from going through. 

To defend against such threats organisations are recommended to enable tamper protection on their endpoint security product to safeguard against certain types of attacks.

Additionally, maintaining strong Windows security practices, such as separating user and admin privileges, can prevent attackers from escalating privileges and loading drivers. Since last year, Microsoft has begun to push updates that automatically decertify signed drivers known to have been abused in the past.  

Sophos strongly avises that users  check whether their endpoint security product implements and enables tamper protection. This feature provides a strong layer against such type of attacks. They also recommend strong hygiene for Windows security roles.

This attack is only possible if the attacker escalates privileges they control, or if they can obtain administrator rights. Separation between user and admin privileges can help prevent attackers from easily loading drivers. Keep your system updated.

AlienVault   |    Sophos   |    LevelBlue   |    Hacker News   |   SCMagazine   |    Security Affairs   |   @Shah_Sheik

Cybersecurity-help 

Image:  stuartmiles99

You Might Also Read: 

Threat Intelligence: Most Prevalent Malware Rankings:

If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Telegram Messaging Platform Founder Arrested
California's Controversial AI Bill Will Soon Be Law »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CERT.br

CERT.br

The Brazilian national Computer Emergency Response Team

Rambus Security Division

Rambus Security Division

Rambus Security Division solutions span areas including tamper resistance, content protection, network security, mobile payment, smart ticketing, and trusted provisioning services.

ngCERT

ngCERT

ngCERT is the National Computer Emergency Response Team for Nigeria.

Neurosoft

Neurosoft

Neursoft is a fully integrated ICT company with Software Development, System Integration and Information Technology Security capabilities.

ACM-CCAS

ACM-CCAS

ACM is a UKAS-accredited certification body helping businesses around the world perform to a higher standard. Our certifications include ISO 27001 and ISO 22301.

Digital Management (DMI)

Digital Management (DMI)

DMI is a provider of mobile enterprise, business intelligence and cybersecurity services.

DataCloak

DataCloak

DataCloak is an innovation company that focus on providing enterprise data-in-motion security solutions based on zero-trust security technology.

BotGuard

BotGuard

BotGuard provides a service to protect your website from malicious bots, crawlers, scrapers, and hacker attacks.

Stellar Cyber

Stellar Cyber

Stellar Cyber makes Open XDR, the only comprehensive security platform providing maximum protection of applications and data wherever they reside.

Key Cyber Solutions

Key Cyber Solutions

Key Cyber is an IT consulting firm that specializes in agile software development services, program management and infrastructure services, cyber security and cloud and managed services.

ToucanX

ToucanX

ToucanX has eliminated remote attack vectors without sacrificing productivity. We’ve brought embedded near real time virtualization to the enterprise endpoint.

Truesec

Truesec

TRUESEC has an exceptional mix of IT specialists. We are true experts in cyber security, advanced IT infrastructure and secure development.

Wabbi

Wabbi

Wabbi’s continuous security platform centralizes, automates and orchestrates security governance and vulnerability management to empower development teams to own appsec.

Intuitive Research & Technology Corp

Intuitive Research & Technology Corp

Intuitive Research and Technology is an aerospace engineering and analysis firm providing services to the Department of Defense, government agencies, and commercial companies.

COPA-DATA

COPA-DATA

COPA-DATA is the only independent software manufacturer to combine in-depth experience in automation with new possibilities of digital transformation – reliable, future-proof and operating worldwide.

InfoSight

InfoSight

InfoSight offers proven Cyber Security, Regulatory Compliance, Risk Management and Infrastructure Solutions to protect your business and your customers from cyber crime and fraud.