“EDRKillShifter” is a type of malware specifically designed to disable Endpoint Detection and Response (EDR) security software on a system, allowing attackers to carry out malicious activities like deploying ransomware without detection; it is considered a sophisticated tool often used by cybercriminals to evade security measures.
Key points about EDRKillShifter:
Function:
Its primary purpose is to actively disable EDR systems, essentially rendering them ineffective in monitoring and alerting potential threats on a compromised system.
Impact:
By bypassing EDR protection, attackers can operate more freely, making it easier to deploy ransomware or other malicious payloads without being detected.
Detection:
Security researchers, like those at Sophos, have identified EDRKillShifter as a growing threat in the cybersecurity landscape.
https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/
https://thehackernews.com/2024/08/ransomhub-group-deploys-new-edr-killing.html
“The binary’s language property is Russian, indicating that the malware author compiled the executable on a computer with Russian localization settings,” Klopsch said. “All of the unpacked EDR killers embed a vulnerable driver in the .data section.”
—> This was about a specific piece of malware used in a particular campaign. The relevant part, was about the EDR killers using the ‘data’ section.
This method has gained popularity among various threat actors, including financially motivated gangs and state-sponsored groups.
Here’s a step-by-step breakdown of its execution process:
- Command Line Execution: The attacker initiates EDRKillShifter with a password-protected command line. The correct password decrypts an embedded resource named BIN in memory.
- Payload Execution: The BIN code then unpacks and executes the final payload, which is a Go-language binary designed to exploit vulnerable drivers.
- Driver Exploitation: The final payload drops and exploits a legitimate driver to bypass EDR protections.
EDRKillShifter represents a notable advancement in EDR-killing malware, utilizing sophisticated techniques to disable endpoint protections.
- Enable Tamper Protection
- Practice Strong Role Separation
- Keep Systems Updated
Loader and Payload Variability
EDRKillShifter variants demonstrate significant variability in the drivers and payloads used. This adaptability allows threat actors to customize their attacks based on the target environment and available vulnerabilities.
Others
- https://www.theregister.com/2024/08/19/ransomhub_edrkilling_malware/
- https://x.com/Scottjbarlow/status/1829594183650468304
- https://www.tidalcyber.com/blog/edrkillshifter-ransomwaretools-extrahop-wiz
- https://smartermsp.com/cybersecurity-threat-advisory-edrkillshifter-a-growing-threat/
- https://community.f5.com/kb/security-insights/windows-critical-rce-vulnerability-malicious-solana-py-and-edrkillshifter/333350
- https://securityaffairs.com/167105/cyber-crime/ransomhub-tool-kill-edr-software.html
When executed, EDRKillShifter loads an encrypted resource named BIN, embedded inside itself, into memory. It also copies that data into a new file named Config.ini and writes that file to the same filesystem location where the binary was executed.