The hacking collective RansomHub has unveiled a new strain of malware, one which is used to disable security software and leave PCs open to attack.

Discovered by security firm Sophos, RansomHub’s new malware has been dubbed EDRKillShifter. First detected during May 2024, EDRKillShifter carries out a Bring Your Own Vulnerable Driver (BYOVD) attack. The main objective of a BYOVD attack is to install a vulnerable driver on a target PC. With this driver in place, threat actors can remotely gain unauthorized access and get a foothold within the system.

The Story Behind EDRKillShifter’s Attack

EDRKillShifter typically targets Endpoint Detection and Response (EDR) security software, leaving PCs at risk of multiple malware attacks. Classed as a ‘loader’ malware, EDRKillShifter delivers a legitimate, yet vulnerable driver onto the target PC. In many cases, it’s been identified that multiple drivers, which are all vulnerable, have been introduced to PCs.

Once the vulnerable drivers have been deployed within the PC, EDRKillShifter executes a further payload within the device’s memory. This payload allows the threat actors to exploit the vulnerable drivers and, as a result, gain access to elevated privileges. This change in privileges gives the attackers the ability to disable EDR software on the machine. And the name of this software is hardcoded into EDRKillShifter’s processes, to prevent it from being restarted.

Attempts to run ransomware on compromised machines has been noted by Sophos and, digging deeper into the EDRKillShifter code, there are strong indicators that the malware originates from Russia. As regards the vulnerable drivers, these are freely available on the Github repository and have been known about for some time.

Preventing the Spread of EDRKillShifter

The mechanics of EDRKillShifter are effective and dangerous but are nothing new. Similar attacks, such as AuKill, have been carried out in the last year, and the technique currently appears popular with threat actors.

Luckily, your organization doesn’t have to fall victim to malware such as EDRKillShifter and its variants. Instead, you can maintain the security of your IT infrastructure by following these best practices:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


A vulnerability has been discovered within AMD processors which has the potential to expose affected PCs to incredibly stealthy strains of malware.

AMD processors are used to power computers, and this is achieved by executing instructions within software applications. Therefore, everything you do on a PC is powered by a processor e.g. running Windows, processing data, and calculations. Some processors are more powerful than others, and the type chosen depends on the user’s need e.g. a diehard gamer will need a high-performance processor to get the best gaming experience, while someone working in a small office will need something less powerful to complete word processing tasks.

As AMD is a highly popular manufacturer of PC processors, we’re going to take a close look at this vulnerability and discuss the impact it could have on your PC users.

Understanding the AMD Chip Vulnerability

The vulnerability in AMD’s chips was discovered by the security firm IOActive, who has named the vulnerability Sinkclose. The flaw was first found in October 2023, but it appears Sinkclose has been present in AMD processors for close to two decades, a remarkable amount of time for a vulnerability to go unnoticed.

Sinkclose affects a specific operating mode within the processors named System Management Mode. This function is used to control systemwide processes including power management and system hardware control. Key to the Sinkclose vulnerability is the fact that System Management Mode also offers high privilege access. And it’s this access which, potentially, could allow a threat actor to run malicious code undetected.

Gaining access deep enough within a PC to even tackle the System Management Mode is difficult for even the most skilled hackers, but it’s not impossible. After infecting a machine with a bootkit – a form of malware which executes very early in the boot process – a threat actor could make their way deep within the system. And if a threat actor does manage to install malware through the Sinkclose vulnerability, the location of the infection means it would survive multiple reinstallations of Windows.

Are You Safe from Sinkclose?

With the Sinkclose vulnerability potentially active since 2006, and IOActive warning that all AMD chips dating back to this period could be affected, the potential damage is huge. AMD has been quick to respond and, since Sinkclose was first identified last year, has been working on an update ever since. Patches for AMD Ryzen and Epyc chips have recently been issued, but clearing up this debacle looks to be a long-term project for AMD.

While the threat is currently difficult to exploit, if threat actors discover an effective method to abuse it, countless PCs could be at increased risk of being compromised. Therefore, it’s crucial you follow these best practices to maintain the security of your PCs:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


A North Korean hacking group has targeted two South Korean cryptocurrency companies with a new strain of malware dubbed Durian.

The relationship between North and South Korea has always been troubled, and this latest cyber-attack will do little to resolve these tensions. The attack itself uses a previously unseen malware variant known as Durian, which is coded in the Golang programming language. Both attacks occurred in the second half of 2023, with Kaspersky recently announcing them in their Q1 APT trends report.

While you may not run a cryptocurrency firm, or be a target of North Korea, it’s important to understand contemporary threats, so we’re going to look at Durian.

How Does Durian Work?

The exact attack method which Durian uses is currently unknown, but it appears to target software which is exclusively used in South Korea. It’s likely, therefore, that a vulnerability has been discovered, although no specific vulnerability has been identified yet. Regardless of the entry method, what is known is that Durian sets up backdoor functionality. This allows the threat actor to download further files, harvest data and files to external servers, and execute commands on the compromised servers.

Once Durian has a foothold within a target’s system, it starts downloading further malware such as Appleseed and LazyLoad, alongside genuine apps such as Chrome Remote Desktop. This makes Durian a particularly persistent threat and makes it a difficult piece of malware to combat.

It’s believed that the threat actor behind Durian is Kimsuky, a North Korean group who has been active since 2012. Kimsuky has been busy in recent times and appear focused on stealing data on behalf on North Korea. Notably, the usage of LazyLoad indicates that Kimsuky may also be partnering with another North Korean group known as Lazarus. LazyLoad has previously been deployed by Andariel, a splinter group with connections to the Lazarus Group.

Staying One Step Ahead of Durian

A specific fix against Durian hasn’t been announced, but this doesn’t mean your defenses are under immediate threat. Instead, by following the basic principles of cybersecurity, you can keep your IT infrastructure safe:

  • Always Install Updates: it’s suspected Durian is targeting specific software to establish itself on targeted systems, and this indicates that a vulnerability is being exploited with this software. Therefore, this acts as a worthy reminder on the importance of installing updates promptly. These updates can instantly plug security holes and keep your IT systems secure.
  • Be Aware of Spear-Phishing: Kimsuky is known for employing spear-phishing techniques so it’s vital your employees are educated on this threat. Typically, spear-phishing targets specific individuals within a company and attempts to deceive them into providing confidential information or direct access to internal systems.
  • Use Multi-Factor Authentication: if you want to add extra locks to your IT systems, then multi-factor authentication is the way forwards. Password breaches are common, but the use of multi-factor authentication minimizes the risk this poses. After entering a password, a unique code will be sent via SMS or through an authentication app which only the end user will have access to. Without this code, a threat actor will be unable to get any further with your password.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


A new threat actor has spent the last few months ramping up attacks involving the DarkGate and NetSupport malware, and this is set to increase further. 

The name of this new threat actor is BattleRoyal, and between September and November 2023, they launched numerous attacks. These attacks featured the DarkGate and NetSupport malware, both powerful strains of malware. DarkGate employs multiple malicious activities such as keylogging, data theft, and cryptocurrency mining. Meanwhile, NetSupport – which is a legitimate application – is being exploited and repurposed as a remote access trojan, which gives threat actors unauthorized access to IT systems. 

DarkGate and NetSupport both have the potential to cause great damage to your IT infrastructure and the security of your data. This means you need to know how to identify and deal with them. 

BattleRoyal’s Malware Campaign 

BattleRoyal appears to have launched its first wave of attacks in September 2023. This campaign involved email techniques to unleash the DarkGate malware on unsuspecting victims. At least 20 instances of this attack have been recorded, but it’s highly likely that more users were infected. Perhaps due to the noise that DarkGate was creating, BattleRoyal quickly switched its choice of weaponry to NetSupport in November. As well as using email campaigns to spread NetSupport, BattleRoyal also employed malicious websites and fake updates to infect PC users. 

DarkGate is also notable for taking advantage of a vulnerability located in Windows SmartScreen. The main objective of SmartScreen is to protect users from accessing malicious websites. However, BattleRoyal were able to work around this by using a special URL which, due to the vulnerability in SmartScreen, gave users access to a malicious website. Clearly a sophisticated threat actor, BattleRoyal had discovered this vulnerability – logged as CVE-2023-36025 – long before Microsoft acknowledged its existence. 

How to Stay Safe from BattleRoyal 

Microsoft has since launched a security patch to combat the CVE-2023-36025 vulnerability, and installing this remains the surest way to combat the activity of DarkGate. However, given that BattleRoyal has used a multi-pronged attack, with NetSupport being used to download further malware, you can’t rely on patches alone. Vigilance, as ever, is vital. Therefore, you need to practice these best security tips to prevent any infections: 

  • Beware of phishing emails: one of the most popular ways to breach the defenses of IT infrastructures involves phishing emails. Not only can these emails be used to steal confidential information through social engineering techniques, but they can also be used to direct recipients towards malicious websites and files. Therefore, it’s important that everyone in your organization can identify phishing emails
     
  • Always install updates: although BattleRoyal was able to identify the SmartScreen vulnerability before the availability of a patch, this doesn’t mean you should minimize the importance of updates. All updates should be installed as soon as they’re available, activating automatic updates is the best way to guarantee that your defenses are fully up-to-date. 
     
  • Use security software: reputable security software is one of the simplest, yet most effective ways to protect your IT systems against malware. Capable of identifying and removing malware before it’s activated, anti-malware tools should be an essential part of your IT defenses. As well as carrying out automatic scans of your system, many of these security suites feature screening tools to warn against malicious websites and emails. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


Malware and flies share one thing in common: they’re pesky. However, while flies help the ecosystem, the Striped Fly malware is nothing but trouble. 

Striped Fly has recently hit the headlines, but Kaspersky has revealed they’ve found evidence of its malicious activity dating back to 2017. Unfortunately, no one had been aware of its true identity until now. This means Striped Fly has enjoyed a five-year campaign where not even a single security researcher knew of its existence. And Kaspersky estimate that this invisibility has allowed it to infect over one million Windows and Linux hosts.  

In 2017, Striped Fly was mistakenly labelled as a cryptocurrency miner, falling under the Monero trojan family. Subsequent findings, however, have revealed that Striped Fly is much more sophisticated. 

What is Striped Fly?

Striped Fly’s exact mechanism is not fully understood at present, but researchers believe they know how it operates. It’s suspected that the threat actors exploited an EternalBlue SMBv1 exploit to gain a foothold in internet facing PCs. After discovering evidence of Striped Fly within the WININIT.exe application – used to help load subsystems within Windows – Kaspersky determined that it then downloads further files. 

These files typically come from online software depositories such as GitHub and BitBucket. These are used to build the final Striped Fly payload. Cleverly, Striped Fly comes with Tor network capabilities to encrypt its communications. Tor, of course, is an internet router service used to encrypt data transferred over its network. And this is part of the reason why Striped Fly remained hidden for so long. 

The main talking point about Striped Fly is its sophistication and wide range of functions. Striped Fly is capable of harvesting login credentials, taking unauthorized screenshots of infected devices, stealing Wi-Fi network configuration details, transferring files to remote sources, and recording microphone output. Clearly, it poses a significant threat to all PC users. 

Swatting Striped Fly Away 

Striped Fly’s half-decade long campaign has proved to be highly successful. Accordingly, your organization needs to be on its guard against Striped Fly and any similar threats. Kaspersky hasn’t revealed a specific fix for Striped Fly but, as ever, vigilance and good security practices are key. So, make sure the following is part of your established cybersecurity strategy: 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More