The hacking collective RansomHub has unveiled a new strain of malware, one which is used to disable security software and leave PCs open to attack.
Discovered by security firm Sophos, RansomHub’s new malware has been dubbed EDRKillShifter. First detected during May 2024, EDRKillShifter carries out a Bring Your Own Vulnerable Driver (BYOVD) attack. The main objective of a BYOVD attack is to install a vulnerable driver on a target PC. With this driver in place, threat actors can remotely gain unauthorized access and get a foothold within the system.
The Story Behind EDRKillShifter’s Attack
EDRKillShifter typically targets Endpoint Detection and Response (EDR) security software, leaving PCs at risk of multiple malware attacks. Classed as a ‘loader’ malware, EDRKillShifter delivers a legitimate, yet vulnerable driver onto the target PC. In many cases, it’s been identified that multiple drivers, which are all vulnerable, have been introduced to PCs.
Once the vulnerable drivers have been deployed within the PC, EDRKillShifter executes a further payload within the device’s memory. This payload allows the threat actors to exploit the vulnerable drivers and, as a result, gain access to elevated privileges. This change in privileges gives the attackers the ability to disable EDR software on the machine. And the name of this software is hardcoded into EDRKillShifter’s processes, to prevent it from being restarted.
Attempts to run ransomware on compromised machines has been noted by Sophos and, digging deeper into the EDRKillShifter code, there are strong indicators that the malware originates from Russia. As regards the vulnerable drivers, these are freely available on the Github repository and have been known about for some time.
Preventing the Spread of EDRKillShifter
The mechanics of EDRKillShifter are effective and dangerous but are nothing new. Similar attacks, such as AuKill, have been carried out in the last year, and the technique currently appears popular with threat actors.
Luckily, your organization doesn’t have to fall victim to malware such as EDRKillShifter and its variants. Instead, you can maintain the security of your IT infrastructure by following these best practices:
- Enable Tamper Protection: It’s important that you limit user privileges for installing drivers. For the average PC user, there’s no reason why they should be installing drivers. Therefore, you can protect your security defenses by limiting driver privileges to restricted admin accounts. This ensures that unauthorized users are unable to disable your EDR software.
- Always Install Updates: Vulnerable drivers, such as those exploited by EDRKillShifter, are often updated once vulnerabilities have been detected. This is why it’s paramount that your organization always installs updates as quickly as possible. By eliminating compromised files from your PCs, you’re instantly strengthening the safety of your machines.
- Use Driver Signature Enforcement: Windows has a tool called Driver Signature Enforcement (DSE), which can help protect your PC from BYOVD malware. DSE ensures that only drivers signed by Microsoft can be installed on your devices. By enlisting the help of DSE, you’re adding another layer of protection to your defenses.
For more ways to secure and optimize your business technology, contact your local IT professionals.
