Sophos researchers have uncovered a new tool, EDRKillShifter, that malicious actors are using to target endpoint detection and response (EDR) systems.
The discovery came after an unsuccessful ransomware attack in May. The threat actors deployed the tool to disable endpoint protection software and execute the notorious RansomHub ransomware. The attack failed when Sophos’ protection systems detected and blocked the ransomware.
According to Sophos, this tool is a significant evolution in malware that targets EDR systems as more businesses are investing in these technologies to protect themselves from cyber threats.
Since 2022, Sophos has seen a rise in malware designed to disable EDR systems. Tools like AuKill are already being sold on criminal marketplaces, and Sophos is “moderately confident” that multiple malefactors are using this new tool in their attacks.
How it Works
EDRKillShifter operates as a “loader” executable, delivering a legitimate yet vulnerable driver to compromise the target system. This technique is called “bring your own vulnerable driver” (BYOVD). The tool can deliver several driver payloads based on the threat actor’s needs.
The execution process involves three steps. First, the attacker runs EDRKillShifter with a command-line password, which decrypts an embedded resource and loads it into memory. The final payload, written in the Go programming language, exploits a vulnerable driver to gain the privileges it needs to disable an EDR tool’s protection.
Sophos’ analysis indicates that the malware author most likely compiled the executable on a machine with Russian localization settings. The executable, named “Loader.exe,” needs a unique 64-character password to execute, and if the password is incorrect, the loader does not function.
Layers of Complexity
EDRKillShifter also uses self-modifying code, making it harder for researchers to analyze. The malware’s second layer modifies its instructions during runtime, requiring specialized tools for analysis. This obfuscation technique hides essential information such as strings, Go version details, and package paths, making reverse engineering even more difficult.
Sophos’ research pinpointed several variants of EDRKillShifter, each with different vulnerable drivers embedded in the code. While the final payloads vary, the overall behavior remains the same. Once executed, the malware gains the necessary privileges to load a driver and drop an exploitable sys file into the system’s temporary folder.
The malware then starts a service for the driver and enters an endless loop, terminating processes that match a hardcoded list of targets. Both variants analyzed by the security giant abuse legitimate but vulnerable drivers, using proof-of-concept exploits that are available on platforms like GitHub. This mirrors trends seen with other EDR-killing tools, such as Terminator.
Sophos researchers also suggest that EDRKillShifter may be part of a larger dark web market where loaders and obfuscators are sold to malefactors.
Mitigation and Defense Strategies
Sophos detects EDRKillShifter as Troj/KillAV-KG and says it has implemented behavioral protection rules to block system calls associated with this malware.
Sophos X-Ops recommends that businesses and people:
- Enable tamper protection on their endpoint security products, providing an extra layer of defense against these attacks.
- Practice strong Windows security hygiene, including limiting administrator privileges to lessen the risk of cyber crooks gaining elevated access.
- Keep systems updated to ensure that signed drivers known to have vulnerabilities are no longer valid.
As bad actors develop more sophisticated and complex tools, entities must stay vigilant and implement robust cybersecurity measures to protect against these evolving threats.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.