RansomHub ransomware operators have started deploying new malware to disable Endpoint Detection and Response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks. The malware, named EDRKillShifter by Sophos security researchers, deploys a legitimate, vulnerable driver on targeted devices to escalate privileges, disable security solutions, and take control of the system.
According to Sophos threat researcher Andreas Klopsch, this technique is popular among various threat actors, including financially motivated ransomware gangs and state-backed hacking groups. The malware can deliver various driver payloads based on the attackers’ needs and has been compiled on a computer with Russian localization.
EDRKillShifter’s execution involves three steps: first, the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which drops and exploits a vulnerable, legitimate driver to escalate privileges and disable active EDR processes and services.
Sophos recommends enabling tamper protection in endpoint security products, maintaining a separation between user and admin privileges to prevent attackers from loading vulnerable drivers, and keeping systems updated. This is because Microsoft keeps de-certifying signed drivers known to have been misused in previous attacks.
Source: https://www.bleepingcomputer.com/news/security/ransomware-gang-deploys-new-malware-to-kill-security-software/