RansomHub Rolls Out Brand-New, EDR-Killing BYOVD Binary

The RansomHub ransomware gang has debuted a fresh utility in its attacks, developed to terminate endpoint detection and response (EDR) processes before they can pick up on any malicious activity.

Appropriately dubbed "EDRKillShifter," the binary is built to load a legitimate but unpatched vulnerable driver that can then be exploited for privilege escalation using proof-of-concept exploits available on GitHub, according to the Sophos X-Ops team.

"There are three steps to the execution process of this loader," Sophos researchers explained in an analysis this week. "The attacker must execute EDRKillShifter with a command line that includes a password string. When run with the correct password, the executable decrypts an embedded resource named BIN and executes it in memory."

They added, "The BIN code unpacks and executes the final payload. This final payload, written in the Go programming language, drops and exploits one of a variety of different vulnerable, legitimate drivers to gain privileges sufficient to unhook an EDR tool’s protection."

The findings come as malware designed to disable EDR systems is on the rise. For instance, AuKill, an EDR killer tool Sophos X-Ops discovered last year being sold commercially on the Dark Web, has seen a surge of use in the past year. And the Terminator, which uses a bring-your-own-driver (BYOVD) mechanism similar to EDRKillShifter, has seen increasing popularity due to its ability to offer an "all-in-one" EDR bypass, killing 24 different vendors' EDR engines.

Protecting Against BYOVD Attacks

The BYOVD attack method is not new, and since last year, Microsoft has begun to decertify signed drivers known to have been abused in the past. But that doesn't completely solve the problem.

"Installing an older, buggy version of a driver is a well-known, long-used hacking technique," Roger Grimes, data-driven defense evangelist at KnowBe4, wrote in an emailed statement. "I used it myself with great success for the 20 years I did penetration testing. And it's very difficult to defend against."

He explained that keeping track of older software versions and then preventing them from installing is one thing, but the situation is made more complex given that many admin/user groups intentionally want to keep older software installed because of compatibility and operability issues. Thus, even an app installer with that kind of tracking functionality would find it hard to stay abreast of the shifting landscape.

"Keeping track of what software versions and drivers are old and shouldn't be installed would quickly become another antivirus signature database-tracking problem, where the vendors were always behind the 8-ball trying to keep up with what's the latest," he noted.

With that in mind, Sophos X-Ops recommends that admins implement strong hygiene for Windows security roles to fend off this type of scenario.

"This attack is only possible if the attacker escalates privileges they control, or if they can obtain administrator rights. Separation between user and admin privileges can help prevent attackers from easily loading drivers," according to the report.