Overview
In the ever-evolving landscape of cybersecurity, ransomware operators continuously refine their tactics to stay one step ahead of security defenses. One of the latest and most concerning developments is the emergence of EDRKillShifter, a sophisticated tool used to bypass Endpoint Detection and Response (EDR) systems. Identified by Sophos researchers in May 2024, EDRKillShifter represents a significant advancement in the growing trend of BYOVD (Bring Your Own Vulnerable Driver) attacks. These attacks leverage legitimate but vulnerable drivers to disable EDR protections and allow cybercriminals to move freely within compromised networks.
EDRKillShifter is part of a new wave of malware tools designed specifically to target and neutralize EDR solutions, making it increasingly difficult for organizations to detect and respond to cyber threats. Unlike traditional malware that seeks to exploit vulnerabilities in the operating system or software applications, EDRKillShifter takes advantage of weaknesses in trusted system drivers, which are typically overlooked by security programs. This makes it an especially dangerous weapon for attackers, as it can disable security measures without triggering alarms or suspicion from standard detection tools.
Targets
Information
Individuals
How they operate
Tool Mechanism and Execution Process
EDRKillShifter operates as a loader executable, a relatively simple but highly effective component of the malware chain. The execution of the malware begins when the attacker initiates the tool via a password-protected command line. This ensures that the initial step of the attack is concealed from any potential monitoring systems, requiring the correct password to decrypt the embedded payload. The loader, once activated, extracts a resource called BIN, which is encrypted and hidden in memory.
After decryption, the BIN code is executed, which unpacks and loads the final payload. The payload is a binary file written in Go, a programming language known for its portability and efficiency. The Go binary then carries out its core function: exploiting vulnerable drivers already present in the victim’s system. These drivers, which are often legitimate but have known security flaws, are leveraged to bypass the security controls of EDR systems.
Exploitation of Vulnerable Drivers
A unique and particularly dangerous characteristic of EDRKillShifter is its use of Bring Your Own Vulnerable Driver (BYOVD) techniques. Instead of relying solely on the exploitation of known vulnerabilities in the operating system or software, EDRKillShifter abuses already installed drivers—often signed and trusted by the system. The exploited drivers can escalate privileges to an attacker’s advantage, giving the malware full control over the system. Once the exploit is successful, the malware disables EDR protections, effectively neutralizing any defense mechanisms that might alert the victim or prevent further malicious activities.
The exploitation of these drivers occurs silently, without triggering alarms in traditional security solutions. EDRKillShifter makes use of the T1203 (Exploitation for Privilege Escalation) technique in the MITRE ATT&CK framework, allowing it to bypass user-level restrictions and execute its payload with higher privileges. This step is crucial because it allows the attacker to move undetected and further escalate their access, including executing additional stages of the ransomware attack.
Obfuscation and Evasion Tactics
Another technical feature of EDRKillShifter is its use of self-modifying code and obfuscation techniques. The malware employs these tactics to avoid detection by reversing-engineering tools and traditional signature-based security systems. As part of its evasion strategy, the final Go binary payload is heavily obfuscated. The payload removes version information, encrypts strings, and hides package paths, making it nearly impossible for security researchers to trace the malware’s source or analyze its operations easily.
This method complicates the process of reverse engineering, as the code constantly changes during runtime. Researchers and security analysts require specialized tools to unpack and analyze the malware’s behavior, and even then, the tools struggle to deobfuscate the code entirely. The obfuscation thus extends the time window during which the malware can operate undetected on an infected system.
Payload Deployment and Persistence
Once the EDRKillShifter has disabled the endpoint’s security systems, it proceeds to drop and execute the final ransomware payload. This often involves encrypting the victim’s data, demanding a ransom, and holding the information hostage until payment is made. The ransomware component of EDRKillShifter takes advantage of the now unprotected environment to deploy a complete attack, often culminating in a total system lockdown and data exfiltration.
To ensure the attack’s persistence, EDRKillShifter may also implement scheduled tasks or modify system settings to allow the malware to reinfect the system after reboot or user login. This persistence mechanism is a key part of ransomware campaigns, as it ensures that even if the victim attempts to recover or reset their system, the malware will remain active, continuing the extortion process.
Conclusion and Mitigation Recommendations
EDRKillShifter represents a significant advancement in ransomware attack techniques, with its ability to bypass security protections and disable endpoint defenses making it a powerful weapon in the hands of threat actors. The malware’s sophisticated use of vulnerable drivers, self-modifying code, and evasive payload techniques demonstrates the growing complexity of modern cyber threats.
To defend against EDRKillShifter, it is critical for organizations to regularly update their systems and ensure that security measures are in place to detect unusual driver activities. Enabling tamper protection in EDR systems and practicing strict privilege separation can also mitigate the risks posed by this malware. Moreover, it is essential to remain vigilant for new vulnerabilities in driver components and work with vendors to address any security flaws that could be exploited by such tools. By staying proactive and employing a layered security approach, organizations can better protect themselves against the evolving threat of EDR-killing malware like EDRKillShifter.
MITRE Tactics and Techniques
1. Defense Evasion
Technique: T1552 – Unsecured Credentials
EDRKillShifter can potentially leverage unsecured or improperly configured drivers or credentials to gain elevated privileges or evade detection mechanisms in place within the environment.
Technique: T1070 – Indicator Removal on Host
This malware’s use of legitimate drivers to evade EDR software might include removing or altering indicators that would normally alert security systems to the presence of a threat.
Technique: T1203 – Exploitation for Privilege Escalation
By exploiting vulnerabilities in legitimate drivers, EDRKillShifter can escalate privileges on the target system. This privilege escalation allows the malware to bypass EDR defenses and gain full control over the endpoint.
Technique: T1222 – File and Directory Permissions Modification
The malware may modify system file permissions to ensure that security controls and logs are inaccessible or tampered with, reducing the chance of detection.
2. Privilege Escalation
Technique: T1548 – Abuse Elevation Control Mechanism
EDRKillShifter likely exploits vulnerable drivers to escalate its privileges and execute malicious actions with higher system privileges, ultimately allowing it to disable security defenses effectively.
3. Impact
Technique: T1490 – Inhibit System Recovery
After disabling or bypassing EDR defenses, EDRKillShifter may inhibit system recovery tools to prevent remediation and prolong the attack’s effectiveness.
Technique: T1486 – Data Encrypted for Impact
Since EDRKillShifter is often deployed as part of a ransomware campaign, once it successfully disables EDR, it can encrypt data to demand ransom, disrupting the victim’s operations.
4. Execution
Technique: T1204 – User Execution
The malware is often delivered through password-protected command-line execution, requiring user interaction to run the initial loader executable, which then drops the final payload.
5. Persistence
Technique: T1053 – Scheduled Task/Job
EDRKillShifter may create scheduled tasks or jobs to ensure persistence, re-enabling the malware execution after system restarts or user logins.
6. Discovery
Technique: T1087 – Account Discovery
In some cases, the malware may gather information about system accounts, looking for credentials that could facilitate further privilege escalation or lateral movement.
References:
