A new analysis of endpoint detection and response (EDR) killers reveals that 54 of them leverage a technique known as bring-your-own-vulnerable-driver (BYOVD), for a total of 34 vulnerable drivers.
EDR killer programs are common in ransomware intrusions because they provide a way for affiliates to neutralize security software before deploying file-encrypting malware. This is done to avoid detection.
“Ransomware gangs, especially those using ransomware-as-a-service (RaaS) programs, frequently create new builds of their encryption programs, and ensuring new builds go undetected can be time-consuming,” ESET researcher Jakub Souček said in a report shared with The Hacker News.
“More importantly, encryption programs are inherently very noisy (because they inherently have to modify a large number of files in a short period of time), making it quite difficult for such malware to go undetected.”
The EDR killer acts as a specialized external component that runs to disable security controls before running the locker itself. This makes the locker itself simple, stable, and easy to rebuild. There have been instances where EDR termination modules and ransomware modules have been fused into a single binary. Reynolds ransomware is a great example.
The majority of EDR killers rely on legitimate but vulnerable drivers to gain elevated privileges and accomplish their goals. Of the nearly 90 EDR killer tools detected by Slovak cybersecurity firms, more than half utilize the well-known BYOVD tactic simply because it’s trusted.
“The goal of a BYOVD attack is to gain privileges in kernel mode, often referred to as ring 0,” Bitdefender explains. “At this level, code has unrestricted access to system memory and hardware. Attackers cannot load unsigned malicious drivers, so they can ‘bring in’ drivers signed by trusted vendors (such as hardware manufacturers or outdated antivirus versions) with known vulnerabilities.
Armed with access to the kernel, threat actors can terminate EDR processes, disable security tools, tamper with kernel callbacks, and weaken endpoint protection. As a result, Microsoft’s driver trust model can be exploited to bypass defenses by leveraging the fact that vulnerable drivers are legitimate and signed.
BYOVD-based EDR killers are primarily developed by three types of threat actors:
Closed ransomware groups such as DeadLock and Warlock that do not rely on affiliates Attackers who fork and tweak existing proof-of-concept code (such as SmilingKiller and TfSysMon-Killer) Cybercriminals who sell such tools as a service on underground marketplaces (such as DemoKiller aka Бафомет, ABYSSWORKER, CardSpaceKiller)
ESET said it has also identified script-based tools that utilize built-in administrative commands such as taskkill, net stop, and sc delete to disrupt the normal functioning of security product processes and services. Some variants have also been found to combine scripting with Windows Safe Mode.
“Safe mode loads only a minimal subset of the operating system and typically does not include security solutions, increasing the likelihood that malware will disable protection,” the company said. “At the same time, such activity is very noisy due to the need for restarts, and is dangerous and unreliable in an unknown environment. Therefore, this activity is rarely seen in practice.”
The third category of EDR killers are anti-rootkits. This includes legitimate utilities such as GMER, HRSword, and PC Hunter that provide an intuitive user interface for terminating protected processes and services. The fourth emerging class is a set of driverless EDR killers, such as EDRSilencer and EDR-Freeze, which block outbound traffic from an EDR solution and put the program into a “coma”-like state.
“The attackers are not putting much effort into making their encryption devices undetectable,” ESET said. “Rather, all sophisticated defensive evasion techniques have migrated to the user-mode components of EDR killers. This trend is most evident in commercial EDR killers, which often incorporate mature anti-analysis and anti-detection capabilities.”
Blocking exploitable drivers from loading is a necessary defense mechanism to combat ransomware and EDR killers. However, given that the EDR killer only runs during the final stage and just before launching the encryption program, if it fails at this stage, the threat actor can easily switch to another tool to accomplish the same task.
This means organizations must deploy layered defense and detection strategies to proactively monitor, flag, contain, and remediate threats at each stage of the attack lifecycle.
“EDR Killer persists because it is cheap, consistent, and decoupled from the cryptographic equipment. It is ideal for both cryptographic equipment developers who do not need to focus on making their cryptographic equipment undetectable, and affiliates that have an easy-to-use and powerful utility that destroys defenses before encryption,” ESET said.
Source link
