Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

RansomHub observed using malware tool to switch off endpoint protection

The operators behind a ransomware gang increasingly targeting Australian organisations are using a novel tool to disable EDR solutions on target devices.

user icon David Hollingworth
Tue, 20 Aug 2024
RansomHub observed using malware tool to switch off endpoint protection
expand image

Ransomware gangs and the affiliates they work with are known to be opportunistic when it comes to their victimology.

They target vulnerabilities, not particular organisations or sectors.

That said, one outfit seems to be making a habit recently of targeting Australian victims. The RansomHub group – a ransomware-as-a-service operation that hires its infrastructure out to affiliate hackers for a price – has claimed nearly a dozen Australian victims in August, as well as a couple in New Zealand, and now security researchers have shed some light on at least one portion of the gang’s modus operandi.

============
============

According to researchers at Sophos who recently investigated a failed RansomHub attack, the gang is using a malware tool designed to turn endpoint protection off on targeted devices.

Dubbed EDRKillShifter by Sophos, the tool is a loader executable that takes advantage of a legitimate but vulnerable driver to deliver a raft of different payloads. These are known as “bring your own vulnerable driver”, or BYOVD, tools.

Once EDRKillShifter is deployed by a threat actor – the tool is offered for sale on a number of criminal forums and is used by several threat actors aside from RansomHub – it can be executed with a password delivered via the command line, which then decrypts an embedded resource called BIN, which is then unpacked into memory before executing a final payload.

This last payload is written in the Go programming language to aid in obfuscation and can drop and use several exploitable drivers, which, in turn, allows the threat actor to gain enough privileges on the target system to effectively kill EDR tools on the target device.

Sophos believes there may be multiple threat actors developing different stages of the loader, and for different purposes for each actor. In the instance investigated by Sophos, the language properties were set to Russian, suggesting the executable was compiled on a machine with Russian localisation settings.

“Selling loaders or obfuscators is a lucrative business on the darknet. Sophos X-Ops suspects that the loader’s sole purpose is to deploy the final BYOVD payload, and that it might have been acquired on the darknet,” Andreas Klopsch, senior threat researcher at Sophos, said in a statement.

“The final EDR killer payloads are then simply being delivered by the loader itself.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.