RansomHub Rolls Out Brand-New, EDR-Killing BYOVD Binary

After loading a vulnerable driver, the utility uses a public exploit to gain privilege escalation and the ability to disable endpoint protection software.

Stylized computer SOC with alerts
Source: Skorzewiak via Alamy Stock Photo

The RansomHub ransomware gang has debuted a fresh utility in its attacks, developed to terminate endpoint detection and response (EDR) processes before they can pick up on any malicious activity.

Appropriately dubbed "EDRKillShifter," the binary is built to load a legitimate but unpatched vulnerable driver that can then be exploited for privilege escalation using proof-of-concept exploits available on GitHub, according to the Sophos X-Ops team.

"There are three steps to the execution process of this loader," Sophos researchers explained in an analysis this week. "The attacker must execute EDRKillShifter with a command line that includes a password string. When run with the correct password, the executable decrypts an embedded resource named BIN and executes it in memory."

They added, "The BIN code unpacks and executes the final payload. This final payload, written in the Go programming language, drops and exploits one of a variety of different vulnerable, legitimate drivers to gain privileges sufficient to unhook an EDR tool’s protection."

The findings come as malware designed to disable EDR systems is on the rise. For instance, AuKill, an EDR killer tool Sophos X-Ops discovered last year being sold commercially on the Dark Web, has seen a surge of use in the past year. And the Terminator, which uses a bring-your-own-driver (BYOVD) mechanism similar to EDRKillShifter, has seen increasing popularity due to its ability to offer an "all-in-one" EDR bypass, killing 24 different vendors' EDR engines.

Protecting Against BYOVD Attacks

The BYOVD attack method is not new, and since last year, Microsoft has begun to decertify signed drivers known to have been abused in the past. But that doesn't completely solve the problem.

"Installing an older, buggy version of a driver is a well-known, long-used hacking technique," Roger Grimes, data-driven defense evangelist at KnowBe4, wrote in an emailed statement. "I used it myself with great success for the 20 years I did penetration testing. And it's very difficult to defend against."

He explained that keeping track of older software versions and then preventing them from installing is one thing, but the situation is made more complex given that many admin/user groups intentionally want to keep older software installed because of compatibility and operability issues. Thus, even an app installer with that kind of tracking functionality would find it hard to stay abreast of the shifting landscape.

"Keeping track of what software versions and drivers are old and shouldn't be installed would quickly become another antivirus signature database-tracking problem, where the vendors were always behind the 8-ball trying to keep up with what's the latest," he noted.

With that in mind, Sophos X-Ops recommends that admins implement strong hygiene for Windows security roles to fend off this type of scenario.

"This attack is only possible if the attacker escalates privileges they control, or if they can obtain administrator rights. Separation between user and admin privileges can help prevent attackers from easily loading drivers," according to the report.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights