Ransomware group uses new virus to disable security software.

RansomHub ransomware operators are now using new malware to disable Endpoint Detection and Response (EDR) protection products in BYOVD (Bring Your Own Vulnerable Driver) attacks.

Sophos security experts named the malware EDRKillShifter after discovering it during a May 2024 ransomware investigation. It uses a legal, vulnerable driver on targeted machines to escalate privileges, deactivate security measures, and take control of the system.

This approach is widely used by many threat actors, including financially driven ransomware gangs and state-sponsored hacking outfits.

"During the incident in May, the threat actors - we estimate with moderate confidence that this tool is being used by multiple attackers — attempted to use EDRKillShifter to terminate Sophos protection on the targeted computer, but the tool failed," Andreas Klopsch, security researcher at Sophos, stated.

"They then attempted to run the ransomware executable on the machine they controlled, but that also failed when the endpoint agent's CryptoGuard feature was triggered."

Sophos uncovered two separate samples while investigating, both with proof-of-concept exploits available on GitHub: one using a vulnerable driver known as RentDrv2, and the other exploiting a driver named ThreatFireMonitor, which is a component of a deprecated system monitoring package.

Sophos also discovered that EDRKillShifter can deliver numerous driver payloads based on the attackers' needs, and the malware's language

The loader executes in three steps: First, the attacker runs the EDRKillShifter binary with a password string to decrypt and execute an embedded resource called BIN in memory. This code then unpacks and runs the final payload, which drops and exploits a vulnerable, legal driver to elevate privileges and disable active EDR processes and services.

"After the malware creates a new service for the driver, starts the service, and loads the driver, it enters an endless loop that continuously enumerates the running processes, terminating processes if their name appears in a hardcoded list of targets," says Klopsch.

"It is also worth mentioning that both variants exploit valid (albeit insecure) drivers using proof-of-concept vulnerabilities available on Github. We believe the threat actors copied elements of

Sophos recommends enabling tamper protection in endpoint security products, separating user and administrative privileges to prevent attackers from loading vulnerable drivers, and keeping systems up to date, given that Microsoft continues to de-certify signed drivers that have been misused in previous attacks.

Last year, Sophos discovered AuKill, an EDR-killing malware that exploited a weak Process Explorer driver in Medusa Locker and LockBit ransomware attacks. AuKill is similar to Backstab, an open-source tool that exploits a weak Process Explorer driver and was used by the LockBit gang in at least one attack detected by Sophos X-Ops.

Source: Bleeping Computer