Sophos analysts recently came across a new EDR killing utility deployed by a criminal group attempting to target an organization with ransomware called RansomHub. While the ransomware attack was ultimately unsuccessful, postmortem analysis of the attack revealed the existence of a new tool designed to terminate endpoint protection software. We call this tool EDRKillShifter.

Since 2022, we have seen an increase in the sophistication of malware designed to disable EDR systems on an infected system as customers increasingly use EDR tooling to protect endpoints. Sophos previously published research about AuKillan EDR killer tool discovered by Sophos X-Ops last year and sold commercially on criminal marketplaces.

In the May incident, the threat actors—we estimate with moderate confidence that this tool is used by multiple attackers—attempted to use EDRKillShifter to terminate Sophos protection on the targeted machine, but the tool failed. They then attempted to run the ransomware executable on the machine they were controlling, but that also failed when the endpoint agent’s CryptoGuard feature was activated.

How EDRKillShifter Works

The EDRKillShifter tool is an executable “loader” file – a delivery mechanism for a legitimate driver that is vulnerable to exploitation (also known as a “bring your own vulnerable driver” or BYOVD tool). Depending on the threat actor’s requirements, it can deliver a variety of different driver payloads.

There are three steps in the execution process of this loader. The attacker must execute EDRKillShifter with a command line containing a password string. When executed with the correct password, the executable decrypts an embedded resource named BIN and executes it in memory.

The BIN code unpacks and executes the final payload. This final payload, written in the Go programming language, drops and exploits one of several vulnerable, legitimate drivers to gain privileges sufficient to decouple the protection of an EDR tool.

Peeling off the first layer

A cursory analysis shows that all samples share the same version information. The original filename is Loader.exe and the product name is ARK-Game. (Some members of the research team speculated that the threat actor is trying to disguise the final payload as a popular computer game called ARK: Survival Evolved.)

The language property of the binary is Russian, which indicates that the malware author compiled the executable on a computer with Russian localization settings.

All samples require a unique 64 character password passed to the command line. If the password is incorrect (or not provided) it will not be executed.

When executed, EDRKillShifter loads an encoded resource called a BIN, embedded within itself, into memory. It also copies that data into a new file called Config.ini and writes that file to the same filesystem location where the binary was executed.

The loader code then allocates a new memory page using VirtualAlloc and writes the encrypted content to the newly allocated page. The malware then deletes the config.ini file and proceeds to decrypt the next set of payloads: the exploitable driver and a Go binary. The loader uses a SHA256 hash of the input password as the decryption key of the second-layer payloads.

If the malware successfully decrypts the second-layer payloads, it creates a new thread and starts execution in that thread.

Loading the latest EDR killer into memory

The second stage is obfuscated using a self-modifying code technique. At runtime, the second layer modifies its own instructions. Since the actual executed instructions are only revealed at runtime, additional tooling or emulation is required for analysis.

The image below illustrates the technique further. The first section shows the beginning of the self-modifying code layer. All instructions after the first call in the disassembly are nonsense at this point. If we revisit the same instruction block after executing the first call, we see a different set of instructions. The first call modifies the next set of instructions, which then modifies the next set of instructions, and so on.

The sole purpose of the final, decoded layer is to dynamically load the final payload into memory and execute it.

Final load analysis

All of the samples we analyzed were running a different EDR killer variant in memory. They were all written in Go and obfuscated (possibly through the use of an open-source tool called to astonish)Obfuscators are tools designed to prevent reverse engineering. There may be legitimate reasons for software engineers to obfuscate software, such as preventing competitors from stealing intellectual property. However, malware authors also use obfuscators to make it more difficult for security researchers to analyze malware.

Most reverse engineers rely on this obfuscated data when analyzing malware written in Go, but in this case, this key information was obfuscated in the compiled code. Some of this information includes:

• Strings are encoded. They are decoded at runtime.

• The Go version information is gone. Many open-source reverse engineering tools rely on this Go version information to rebuild structures in the disassembly.

• Useful packet information or packet paths are encrypted or removed from the final malware.

However, we were able to extract valuable information using the GoReSym tool from Mandiant.

Similarities between the final loads

All extracted EDR killers contain a vulnerable driver in the .data section. Their behavior is simple, just like other EDR killers we analyzed(1)(2)(3). The only major difference between the two variants we looked at is the vulnerable driver that is loaded and exploited.

When executed, both variants gain the necessary privileges to load a driver and place the exploitable .sys file in the \AppData\Local\Temp folder. The malware generates a random filename for the driver each time it is executed.

After the malware creates a new service for the driver, starts the service, and loads the driver, it enters an endless loop that continuously enumerates running processes and kills processes if their names appear in a hardcoded list of targets. This behavior is consistent for both variants.

It is also worth noting that both variants exploit legitimate (albeit vulnerable) drivers, using proof-of-concept exploits available on Github. We suspect that the threat actors copied parts of these proof-of-concepts, modified them, and ported the code to the Go language. This is a common trend that we have also observed with other EDR killers, such as Terminator.

Same charger, different final charges

The sample with SHA256 451f5aa55eb207e73c5ca53d249b95911d3fad6fe32eee78c58947761336cc60 abuses a vulnerable driver that has also been abused in attacks and calls itself RentDrv2. A proof-of-concept for exploiting this driver is available at Github.

The variant can also receive an additional command line argument “–list”, allowing adversaries to pass an additional list of process names as targets.

In contrast, the SHA256 d0f9eae1776a98c77a6c6d66a3fd32cee7ee6148a7276bc899c1a1376865d9b0 variant exploits a known vulnerable driver called ThreatFireMonitor, a component of an outdated system monitoring suite. proof of concept for this specific driver is also available on Github.

Mapping EDRKillShifter into the larger threat landscape

The final payload embedded in the loader changes from incident to incident (and, presumably, from creator to creator). If we try to map EDRKillShifter to the larger threat landscape, it is also plausible that the loader and the final payloads are developed by separate threat actors.

Selling loaders or obfuscators is a lucrative business on the darknet. Sophos X-Ops suspects that the sole purpose of the loader is to deploy the latest BYOVD payload, and that this may have been obtained on the darknet. The latest EDR killer payloads are then simply delivered by the loader itself, which consists of layer 1 and 2 that we described in our analysis above.

It is important to note that we cannot confirm this hypothesis at this time.

Mitigating measures and advice

Sophos currently detects EDRKillShifter as Troj/KillAV-KG. In addition, behavioral protection rules that protect against defense evasion and privilege escalation block these system calls. Businesses and individuals can also take additional steps to protect their machines from driver abuse:

• Sophos X-Ops strongly recommends that you verify that your endpoint security product implements and enables tamper protection. This feature provides a strong layer against these types of attacks. If you are using Sophos products but do not currently have Sophos tamper protection enabled, enable it today.

• Apply strict hygiene to Windows security roles. This attack is only possible if the attacker elevates the rights he controls or can gain administrative rights. Separation between user and administrative rights can help prevent attackers from easily loading drivers.

• Keep your system up to date. Since last year, Microsoft has started pushing updates that decertify signed drivers that have been known to be abused in the past.