RansomHub Have A Tool That Neutralises EDR

A cyber crime group with links to the RansomHub ransomware group has been detected using a new tool designed to terminate Endpoint Detection and Response (EDR) software on compromised hosts, joining a number of other similar programs like AuKill and Terminator.   

The EDR-killing utility has been dubbed EDRKillShifter by researchers at cyber security company Sophos, which first discovered the tool in connection with a failed ransomware attack in May 2024.

The EDRKillShifter tool is a loader executable used to deliver vulnerable drivers that can be exploited by attackers and operates in three stages:  

  • The BIN code then unpacks and runs a final Go-written payload, which exploits a vulnerable legitimate driver to disable EDR (Endpoint Detection and Response) protection.
  • The attacker runs EDRKillShifter with a command line password.
  • The tool decrypts and executes an embedded resource named BIN in memory.

RansomHub, which is a suspected rebrand of the Knight ransomware, surfaced in February 2024, exploiting known security flaws to obtain initial access and drop legitimate remote desktop software such as Atera and Splashtop for persistent access.

Microsoft have reported  that the notorious e-crime syndicate known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its toolkit.

Executed via command-line along with a password string input, the executable decrypts an embedded resource named BIN and executes it in memory. The BIN resource unpacks and runs a Go-based final, obfuscated payload, which then takes advantage of different vulnerable, legitimate drivers to gain elevated privileges and disarm EDR software.

To mitigate the threat, it's recommended to keep systems up-to-date, enable tamper protection in EDR software, and practice strong hygiene for Windows security roles.

The development comes as threat actors have been observed delivering a new stealthy malware called SbaProxy by modifying legitimate antivirus binaries from BitDefender, Malwarebytes and Sophos, signing the files with counterfeit certificates in order to establish proxy connections through a command-and-control (C2) server as part of an ongoing campaign.  SbaProxy is engineered to set up a proxy connection between the client and the target such that it routes the traffic through the C2 server and the infected machine. The malware only supports TCP connections. Sophos antimalware currently detects EDRKillShifter as Troj/KillAV-KG. Furthermore, behavioral protection rules that protect against defense evasion and privilege escalation block these system calls from going through. 

To defend against such threats organisations are recommended to enable tamper protection on their endpoint security product to safeguard against certain types of attacks.

Additionally, maintaining strong Windows security practices, such as separating user and admin privileges, can prevent attackers from escalating privileges and loading drivers. Since last year, Microsoft has begun to push updates that automatically decertify signed drivers known to have been abused in the past.  

Sophos strongly avises that users  check whether their endpoint security product implements and enables tamper protection. This feature provides a strong layer against such type of attacks. They also recommend strong hygiene for Windows security roles.

This attack is only possible if the attacker escalates privileges they control, or if they can obtain administrator rights. Separation between user and admin privileges can help prevent attackers from easily loading drivers. Keep your system updated.

AlienVault   |    Sophos   |    LevelBlue   |    Hacker News   |   SCMagazine   |    Security Affairs   |   @Shah_Sheik

Cybersecurity-help 

Image:  stuartmiles99

You Might Also Read: 

Threat Intelligence: Most Prevalent Malware Rankings:


If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Telegram Messaging Platform Founder Arrested
California's Controversial AI Bill Will Soon Be Law »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CLUSIS

CLUSIS

CLUSIS is an association for the information security industry in Switzerland.

Flexera

Flexera

Flexera is reimagining the way software is bought, sold, managed and secured.

Raytheon Technologies

Raytheon Technologies

Raytheon Intelligence & Space delivers solutions that protect every side of cyber for government agencies, businesses and nations.

OCM Business Systems

OCM Business Systems

OCM are experts in the safe, secure and responsible disposal of IT & EPoS assets.

Cybersecurity Manufacturing Innovation Institute (CyManII)

Cybersecurity Manufacturing Innovation Institute (CyManII)

CyManII was established to create economically viable, pervasive, and inconspicuous cybersecurity in American manufacturing to secure the digital supply chain and energy automation.

IPification

IPification

IPification is a highly secure, credential-less, network-based authentication solution for frictionless user experience on mobile and IoT devices.

Absa Cybersecurity Academy

Absa Cybersecurity Academy

Absa Cybersecurity Academy is an initiative aimed at empowering marginalised South African youths to become certified cybersecurity specialists.

SecureAge Technology

SecureAge Technology

We’re a rapidly growing cybersecurity company with an 18-year history of ZERO Data breaches. Our security solutions place security and usability on equal footing. Learn more about our technology.

F1 Security

F1 Security

F1 Security provides a family of web security solutions including web application firewalls, web shell detection solutions, and web shell scanners.

Tabidus Technology

Tabidus Technology

Tabidus Technology is a cybersecurity association that unites and provides the global protection options against cyber threats.

Vaultinum

Vaultinum

Vaultinum are a trusted independent third party specialized in the protection and audit of digital assets.

Proton

Proton

Proton provides free encrypted email, calendar, drive, password manager, and VPN services. Building a better Internet.

Cysmo Cyber Risk

Cysmo Cyber Risk

Cysmo is an innovative cyber risk assessment platform specifically designed for the needs of the German insurance industry.

Bedrock Security

Bedrock Security

Bedrock Security is at the forefront of revolutionizing data security in the cloud and GenAI era.

Thero6

Thero6

Thero6 develop dynamic financial analysis algorithms that help prevent coin collapses and theft of cryptocurrency funds by identifying the transaction absolutely throughout the chain.

Black Belt Secure

Black Belt Secure

We provide critical cybersecurity services such as managed security, ransomware mitigation, penetration testing, system auditing and compliance services to your organization.