Russia Archives

New Malware Used to Target Security Software

BYOVD, DSE, EDRKillShifter, install updates, malware, Ophtek, Russian Hackers, SophosBYOVD, DSE, EDRKillShifter, malware, Ophtek, Russia, Sophos, updatesOphtek, LLC

Sep 2024

The hacking collective RansomHub has unveiled a new strain of malware, one which is used to disable security software and leave PCs open to attack.

Discovered by security firm Sophos, RansomHub’s new malware has been dubbed EDRKillShifter. First detected during May 2024, EDRKillShifter carries out a Bring Your Own Vulnerable Driver (BYOVD) attack. The main objective of a BYOVD attack is to install a vulnerable driver on a target PC. With this driver in place, threat actors can remotely gain unauthorized access and get a foothold within the system.

The Story Behind EDRKillShifter’s Attack

EDRKillShifter typically targets Endpoint Detection and Response (EDR) security software, leaving PCs at risk of multiple malware attacks. Classed as a ‘loader’ malware, EDRKillShifter delivers a legitimate, yet vulnerable driver onto the target PC. In many cases, it’s been identified that multiple drivers, which are all vulnerable, have been introduced to PCs.

Once the vulnerable drivers have been deployed within the PC, EDRKillShifter executes a further payload within the device’s memory. This payload allows the threat actors to exploit the vulnerable drivers and, as a result, gain access to elevated privileges. This change in privileges gives the attackers the ability to disable EDR software on the machine. And the name of this software is hardcoded into EDRKillShifter’s processes, to prevent it from being restarted.

Attempts to run ransomware on compromised machines has been noted by Sophos and, digging deeper into the EDRKillShifter code, there are strong indicators that the malware originates from Russia. As regards the vulnerable drivers, these are freely available on the Github repository and have been known about for some time.

Preventing the Spread of EDRKillShifter

The mechanics of EDRKillShifter are effective and dangerous but are nothing new. Similar attacks, such as AuKill, have been carried out in the last year, and the technique currently appears popular with threat actors.

Luckily, your organization doesn’t have to fall victim to malware such as EDRKillShifter and its variants. Instead, you can maintain the security of your IT infrastructure by following these best practices:

Enable Tamper Protection: It’s important that you limit user privileges for installing drivers. For the average PC user, there’s no reason why they should be installing drivers. Therefore, you can protect your security defenses by limiting driver privileges to restricted admin accounts. This ensures that unauthorized users are unable to disable your EDR software.

Always Install Updates: Vulnerable drivers, such as those exploited by EDRKillShifter, are often updated once vulnerabilities have been detected. This is why it’s paramount that your organization always installs updates as quickly as possible. By eliminating compromised files from your PCs, you’re instantly strengthening the safety of your machines.

Use Driver Signature Enforcement: Windows has a tool called Driver Signature Enforcement (DSE), which can help protect your PC from BYOVD malware. DSE ensures that only drivers signed by Microsoft can be installed on your devices. By enlisting the help of DSE, you’re adding another layer of protection to your defenses.

For more ways to secure and optimize your business technology, contact your local IT professionals .

Ukraine’s Military Hacked by Russian Backed USB Malware

malware, Ophtek, Phishing, Pteredo, Russian Hackers, Shuckworm, Ukraine, USB_malwaremalware, Ophtek, phishing, Pterodo, Russia, Shuckworm, Ukraine, USB_MalwareOphtek, LLC

Aug 2023

The news footage may focus on military strikes, but, behind the war in Ukraine, cyberattacks are being utilised as a major weapon by Russia.

Government-backed cyberattacks are nothing new, and they will continue to be utilized as part of global espionage campaigns for the foreseeable future. However, while these attacks are unlikely to be aimed at small businesses, the methods and techniques employed are likely to trickle down into the arsenal of smaller hackers. Therefore, in the near future, these powerful attacks could regularly be launched against your business.

At Ophtek, we pride ourselves on keeping our clients up to date on contemporary threats. But we also strive to keep you one step ahead of the hackers. And that’s why we’re going to take you through this latest attack.

Understanding the Mechanics of this Military Hack

Warfare has always relied on much more than just weapons, intelligence has always been equally important. And, with the rise of technology in the digital age, compromising IT equipment has proven to be highly rewarding in the pursuit of sensitive information. This latest attack, which has links with Russia’s FSB security service, has been launched by Shuckworm, a Russian threat actor with a long history of attacks.

February 2023 saw Shuckworm intensifying their attacks against Ukraine, a campaign which has been running for several years. Most notably, Shuckworm have been developing new malware in conjunction with command-and-control servers. Central to these attacks has been a strain of malware called Pterodo. Developed by Shuckworm, Pterodo is a backdoor attack which is executed when malicious USB drives are installed onto PCs. The first step that Pterodo takes is to install shortcut links on the infected PC, with these links given names such as evidence.rtf.lnk in order to tempt users into clicking them.

Clicking these links will install Pterodo on the user’s PC and allow Pterodo to spread through any connected drives and download further malware. To cover its tracks, Pterodo uses a number of innovative approaches. Numerous variants of Pterodo have been developed to bypass identification tools and, in order to conceal their identity, the related command-and-control servers regularly rotate their IP addresses. W hile the USB route for launching this attack appears to be Shuckworm’s preferred method, there is also evidence that it’s being spread through phishing emails.

How Do You Beat Military Backed Hackers?

Threat actors which receive government support are very powerful, but it doesn’t mean they are unbeatable. In fact, this latest attack by Shuckworm can easily be deflected by practicing the following:

Be wary of USB drives: USB drive attacks have been commonplace for many years, so it’s important that you don’t let your guard down. Mysterious USB drives which arrive in the mail or are found out in the parking lot should be fully scrutinized and never plugged into your PCs. As well as compromising data security, malicious USB drives also have the potential to destroy your PC.

Understand the hallmarks of phishing: businesses need to be vigilant against phishing campaigns in order to protect their IT infrastructure. Therefore, make sure your employees know how to identify telltale signs of phishing emails: misspellings, generic greetings, urgent demands, suspicious attachments/links, and email addresses with slight variations. If your team can stay alert to these threats, then you stand a much better chance of protecting your data.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Tag Archives: Russia