Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

EDRKillShifter (Trojan) – Malware

February 13, 2025
Reading Time: 5 mins read
in Malware
EDRKillShifter (Trojan) – Malware

EDRKillShifter

Type of Malware

Trojan

Associated Groups

RansomHub

Date of initial activity

2024

Motivation

Financial Gain

Attack Vectors

Software Vulnerabilities

Targeted Systems

Windows

Overview

In the ever-evolving landscape of cybersecurity, ransomware operators continuously refine their tactics to stay one step ahead of security defenses. One of the latest and most concerning developments is the emergence of EDRKillShifter, a sophisticated tool used to bypass Endpoint Detection and Response (EDR) systems. Identified by Sophos researchers in May 2024, EDRKillShifter represents a significant advancement in the growing trend of BYOVD (Bring Your Own Vulnerable Driver) attacks. These attacks leverage legitimate but vulnerable drivers to disable EDR protections and allow cybercriminals to move freely within compromised networks. EDRKillShifter is part of a new wave of malware tools designed specifically to target and neutralize EDR solutions, making it increasingly difficult for organizations to detect and respond to cyber threats. Unlike traditional malware that seeks to exploit vulnerabilities in the operating system or software applications, EDRKillShifter takes advantage of weaknesses in trusted system drivers, which are typically overlooked by security programs. This makes it an especially dangerous weapon for attackers, as it can disable security measures without triggering alarms or suspicion from standard detection tools.

Targets

Information Individuals

How they operate

Tool Mechanism and Execution Process
EDRKillShifter operates as a loader executable, a relatively simple but highly effective component of the malware chain. The execution of the malware begins when the attacker initiates the tool via a password-protected command line. This ensures that the initial step of the attack is concealed from any potential monitoring systems, requiring the correct password to decrypt the embedded payload. The loader, once activated, extracts a resource called BIN, which is encrypted and hidden in memory. After decryption, the BIN code is executed, which unpacks and loads the final payload. The payload is a binary file written in Go, a programming language known for its portability and efficiency. The Go binary then carries out its core function: exploiting vulnerable drivers already present in the victim’s system. These drivers, which are often legitimate but have known security flaws, are leveraged to bypass the security controls of EDR systems.
Exploitation of Vulnerable Drivers
A unique and particularly dangerous characteristic of EDRKillShifter is its use of Bring Your Own Vulnerable Driver (BYOVD) techniques. Instead of relying solely on the exploitation of known vulnerabilities in the operating system or software, EDRKillShifter abuses already installed drivers—often signed and trusted by the system. The exploited drivers can escalate privileges to an attacker’s advantage, giving the malware full control over the system. Once the exploit is successful, the malware disables EDR protections, effectively neutralizing any defense mechanisms that might alert the victim or prevent further malicious activities. The exploitation of these drivers occurs silently, without triggering alarms in traditional security solutions. EDRKillShifter makes use of the T1203 (Exploitation for Privilege Escalation) technique in the MITRE ATT&CK framework, allowing it to bypass user-level restrictions and execute its payload with higher privileges. This step is crucial because it allows the attacker to move undetected and further escalate their access, including executing additional stages of the ransomware attack.
Obfuscation and Evasion Tactics
Another technical feature of EDRKillShifter is its use of self-modifying code and obfuscation techniques. The malware employs these tactics to avoid detection by reversing-engineering tools and traditional signature-based security systems. As part of its evasion strategy, the final Go binary payload is heavily obfuscated. The payload removes version information, encrypts strings, and hides package paths, making it nearly impossible for security researchers to trace the malware’s source or analyze its operations easily. This method complicates the process of reverse engineering, as the code constantly changes during runtime. Researchers and security analysts require specialized tools to unpack and analyze the malware’s behavior, and even then, the tools struggle to deobfuscate the code entirely. The obfuscation thus extends the time window during which the malware can operate undetected on an infected system.
Payload Deployment and Persistence
Once the EDRKillShifter has disabled the endpoint’s security systems, it proceeds to drop and execute the final ransomware payload. This often involves encrypting the victim’s data, demanding a ransom, and holding the information hostage until payment is made. The ransomware component of EDRKillShifter takes advantage of the now unprotected environment to deploy a complete attack, often culminating in a total system lockdown and data exfiltration. To ensure the attack’s persistence, EDRKillShifter may also implement scheduled tasks or modify system settings to allow the malware to reinfect the system after reboot or user login. This persistence mechanism is a key part of ransomware campaigns, as it ensures that even if the victim attempts to recover or reset their system, the malware will remain active, continuing the extortion process.
Conclusion and Mitigation Recommendations
EDRKillShifter represents a significant advancement in ransomware attack techniques, with its ability to bypass security protections and disable endpoint defenses making it a powerful weapon in the hands of threat actors. The malware’s sophisticated use of vulnerable drivers, self-modifying code, and evasive payload techniques demonstrates the growing complexity of modern cyber threats. To defend against EDRKillShifter, it is critical for organizations to regularly update their systems and ensure that security measures are in place to detect unusual driver activities. Enabling tamper protection in EDR systems and practicing strict privilege separation can also mitigate the risks posed by this malware. Moreover, it is essential to remain vigilant for new vulnerabilities in driver components and work with vendors to address any security flaws that could be exploited by such tools. By staying proactive and employing a layered security approach, organizations can better protect themselves against the evolving threat of EDR-killing malware like EDRKillShifter.

MITRE Tactics and Techniques

1. Defense Evasion
Technique: T1552 – Unsecured Credentials EDRKillShifter can potentially leverage unsecured or improperly configured drivers or credentials to gain elevated privileges or evade detection mechanisms in place within the environment. Technique: T1070 – Indicator Removal on Host This malware’s use of legitimate drivers to evade EDR software might include removing or altering indicators that would normally alert security systems to the presence of a threat. Technique: T1203 – Exploitation for Privilege Escalation By exploiting vulnerabilities in legitimate drivers, EDRKillShifter can escalate privileges on the target system. This privilege escalation allows the malware to bypass EDR defenses and gain full control over the endpoint. Technique: T1222 – File and Directory Permissions Modification
The malware may modify system file permissions to ensure that security controls and logs are inaccessible or tampered with, reducing the chance of detection.
2. Privilege Escalation Technique: T1548 – Abuse Elevation Control Mechanism EDRKillShifter likely exploits vulnerable drivers to escalate its privileges and execute malicious actions with higher system privileges, ultimately allowing it to disable security defenses effectively.
3. Impact
Technique: T1490 – Inhibit System Recovery After disabling or bypassing EDR defenses, EDRKillShifter may inhibit system recovery tools to prevent remediation and prolong the attack’s effectiveness. Technique: T1486 – Data Encrypted for Impact Since EDRKillShifter is often deployed as part of a ransomware campaign, once it successfully disables EDR, it can encrypt data to demand ransom, disrupting the victim’s operations.
4. Execution
Technique: T1204 – User Execution The malware is often delivered through password-protected command-line execution, requiring user interaction to run the initial loader executable, which then drops the final payload.
5. Persistence
Technique: T1053 – Scheduled Task/Job EDRKillShifter may create scheduled tasks or jobs to ensure persistence, re-enabling the malware execution after system restarts or user logins.
6. Discovery
Technique: T1087 – Account Discovery In some cases, the malware may gather information about system accounts, looking for credentials that could facilitate further privilege escalation or lateral movement.
References:
  • EDRKillShifter: A New EDRKilling Malware Weapon for Ransomware Operators
 
Tags: CybersecurityEDREDRKillShifterMalwareRansomHubRansomwareTrojansVulnerabilitiesWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial