Cybercriminals have been detected using a new type of malware that’s specifically designed to completely disable any antivirus software on a victim’s computer and then infect it with ransomware.
Researchers from Sophos have identified a new tool they’ve named EDRKillShifter, which is designed to eliminate Endpoint Detection and Response (EDR) programs. This tool was used by the ransomware group known as RansomHub. However, Sophos believes “with moderate confidence” that EDRKillShifter is being used by multiple attackers, suggesting it might have been developed by a third party and is possibly available for sale or rent on the dark web.
EDRKillShifter works by attempting to terminate EDR protections on the target computer. In the case analyzed by Sophos, the tool was used to try to disable Sophos’ own protection software, but it failed, causing the ransomware attack to be abandoned.
Sophos describes EDRKillShifter as a loader that drops a legitimate but outdated and vulnerable driver onto the target system. This technique, known as “Bring Your Own Vulnerable Driver” (BYOVD), has been around for years. In BYOVD attacks, cybercriminals introduce an older version of a driver that the operating system accepts, and then exploit vulnerabilities in that driver to deploy malware.
EDRKillShifter can deliver different driver payloads depending on the attacker’s needs, making it a versatile tool for those looking to bypass security measures.
To protect against this type of threat, Sophos advises ensuring that endpoint security products have tamper protection enabled. Businesses should also maintain strict security hygiene for Windows roles, as these attacks typically require the attacker to escalate privileges or gain admin rights. Keeping systems updated is also crucial, as Microsoft has started de-certifying old signed drivers to prevent such vulnerabilities from being exploited.
