Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Vulnerable drivers help to deceive security systems.
The RansomHub group has started using a new malicious software that disables EDR solutions on devices to bypass security mechanisms and gain full control over the system. The tool, called EDRKillShifter, was discovered by Sophos specialists after a failed attack in May 2024.
EDRKillShifter is a bootloader program that allows you to conduct a Bring Your Own Vulnerable Driver (BYOVD) attack, which uses a legitimate but vulnerable driver to increase privileges, disable security features, and gain full control over the system.
Sophos discovered 2 different EDRKillShifter samples, both of which use publicly available PoC exploits from GitHub. One of the samples exploits the vulnerable RentDrv2 driver, and the other uses the ThreatFireMonitor driver, which is a component of an outdated system monitoring package. EDRKillShifter is also able to load different drivers depending on the needs of attackers.
The EDRKillShifter execution process consists of three steps. First, the attacker runs a binary file with a password to decrypt and execute the built-in BIN resource in memory. The code then decompresses and executes the final payload, which loads the vulnerable driver to elevate privileges, disable active processes and EDR systems.
The malware creates a new service for the driver, starts it and loads the driver, and then enters an infinite loop, continuously checking running processes and terminating them if the process names match the encrypted list of targets.
EDRKillShifter Attack Chain
Sophos recommends enabling anti-hacking protection in endpoint security products, maintaining separation of user and administrator rights to prevent attackers from downloading vulnerable drivers, and regularly updating systems, given that Microsoft regularly revokes certificates for signed drivers that were used in previous attacks.
Source
The RansomHub group has started using a new malicious software that disables EDR solutions on devices to bypass security mechanisms and gain full control over the system. The tool, called EDRKillShifter, was discovered by Sophos specialists after a failed attack in May 2024.
EDRKillShifter is a bootloader program that allows you to conduct a Bring Your Own Vulnerable Driver (BYOVD) attack, which uses a legitimate but vulnerable driver to increase privileges, disable security features, and gain full control over the system.
Sophos discovered 2 different EDRKillShifter samples, both of which use publicly available PoC exploits from GitHub. One of the samples exploits the vulnerable RentDrv2 driver, and the other uses the ThreatFireMonitor driver, which is a component of an outdated system monitoring package. EDRKillShifter is also able to load different drivers depending on the needs of attackers.
The EDRKillShifter execution process consists of three steps. First, the attacker runs a binary file with a password to decrypt and execute the built-in BIN resource in memory. The code then decompresses and executes the final payload, which loads the vulnerable driver to elevate privileges, disable active processes and EDR systems.
The malware creates a new service for the driver, starts it and loads the driver, and then enters an infinite loop, continuously checking running processes and terminating them if the process names match the encrypted list of targets.
EDRKillShifter Attack Chain
Sophos recommends enabling anti-hacking protection in endpoint security products, maintaining separation of user and administrator rights to prevent attackers from downloading vulnerable drivers, and regularly updating systems, given that Microsoft regularly revokes certificates for signed drivers that were used in previous attacks.
Source
