A cybercriminal group linked to RansomHub ransomware has been spotted using a new tool designed to shut down endpoint detection and response (EDR) software on compromised hosts, joining other similar programs such as AuKill (aka AvNeutralizer) and Terminator.
The EDR kill utility was named EDRKillShifter by cybersecurity firm Sophos, which discovered the tool in connection with a botched ransomware attack in May 2024.
“The EDRKillShifter tool is a ‘bootloader’ executable – a delivery mechanism for a legitimate exploitable driver (also known as a ‘bring your own vulnerable driver’ or BEUDtool),” security researcher Andreas Klopsch said. “Depending on the threat actor’s requirements, it can deliver different driver payloads.”
RansomHuban alleged rebrand of Knight ransomware appeared in February 2024 that exploits known security flaws to gain initial access and remove legitimate remote desktop software such as Atera and Splashtop for permanent access.
Last month, Microsoft revealed that the notorious cybercrime syndicate known as Scattered Spider has included ransomware such as RansomHub and Qilin in its arsenal.
Executed via the command line along with entering a password string, the executable decrypts an embedded resource called BIN and executes it in memory. The BIN resource unpacks and runs the latest obfuscated Go-based payload, which then takes advantage of various vulnerable legitimate drivers to gain elevated privileges and disarm the EDR software.
“The language property of the binary file is Russian, which indicates that the malware author compiled the executable on a computer with Russian localization settings,” Klopsch said. “All unpacked EDR killers embed the vulnerable driver in the .data section.”
To reduce the threat, it’s recommended to keep systems up-to-date, enable tamper protection in EDR software, and maintain strict hygiene for Windows security roles.
“This attack is only possible if the attacker escalates the privileges they control or if they can gain administrative rights,” Klopsch said. “Separation between user and administrator privileges can prevent attackers from easily downloading drivers.”
