BleepingComputer reports the BlackSuit, Qilin, RansomHub, INC, Dragonforce, Medusa, Lynx, and Crytox ransomware operations have launched attacks involving a newly emergent endpoint detection and response killer believed to be descended from RansomHub's EDRKillShifter tool.
With a highly obscured binary enabling self-encoding at runtime and app injections, the yet-to-be-named EDR killer tool seeks a digitally signed driver then loaded into the kernel for a bring your own vulnerable driver attack, according to an analysis from Sophos security researchers. Such a driver, which impersonates the CrowdStrike Falcon Sensor Driver, then moves to deactivate Microsoft, Sophos, Trend Micro, SentinelOne, Kaspersky, Trend Micro, Symantec, F-Secure, McAfee, Cylance, Webroot, and HitmanPro antivirus and EDR systems. Despite differences in build characteristics and AV targets, the utilization of HeartCrypt for packing across all variants of the new EDR killer tool indicates a shared collaborative development process. "To be clear, it's not that a single binary of the EDR killer leaked out and was shared between threat actors. Instead, each attack used a different build of the proprietary tool," said Sophos.
With a highly obscured binary enabling self-encoding at runtime and app injections, the yet-to-be-named EDR killer tool seeks a digitally signed driver then loaded into the kernel for a bring your own vulnerable driver attack, according to an analysis from Sophos security researchers. Such a driver, which impersonates the CrowdStrike Falcon Sensor Driver, then moves to deactivate Microsoft, Sophos, Trend Micro, SentinelOne, Kaspersky, Trend Micro, Symantec, F-Secure, McAfee, Cylance, Webroot, and HitmanPro antivirus and EDR systems. Despite differences in build characteristics and AV targets, the utilization of HeartCrypt for packing across all variants of the new EDR killer tool indicates a shared collaborative development process. "To be clear, it's not that a single binary of the EDR killer leaked out and was shared between threat actors. Instead, each attack used a different build of the proprietary tool," said Sophos.
