- Edrkillshifter gets a dangerous upgrade
- The new malware can disable AV and EDR from reputable suppliers
- Sophos, Bitdefender and Kaspersky among the tools that are targeted
Cyber criminals appear to have improved their antivirus-killing capabilities, as recent research suggests that a new tool is shared in the underground community.
In a new report, Sophos security researchers said that multiple ransomware groups successfully disable the end -point detection and response (EDR) systems before implementing encryption.
Originally, the group known as Ransomhub developed a tool called Edrkillshifter, as Sophos says is now outdated thanks to this new and improved variant. The new tool can disable security software from several advanced suppliers such as Sophos, Bitdefender and Kaspersky.
Changing strategies
Malware is often packed using a service called HeartCrypt, which reveals the code to avoid detection.
Sophos found that attackers use all kinds of veiling and antianalysis techniques to protect their tools from security defenders, and in some cases they use even signed drivers (either stolen or compromised).
In one case, the malicious code was embedded in a legitimate tool, in addition to Compares Clipboard tools, the researchers explained.
Sophos also said that several ransomware groups are using this new EDR killing tool, suggesting a high level of collaboration between players.
Edrkillshifter was first stained in mid -2024, after an unsuccessful attempt to disable an antivirus and insert ransomware.
Sophos then revealed that malware dropped a legitimate but vulnerable driver.
Now it seems that there is a new method – taking an already legitimate executable and changing it locally by inserting malicious code and payroll resources (as was the case with Beyond Compare’s tool). This is often done after the striker has access to a victim’s machine or when creating a malicious package that pretends to be legitimate.
To defend against this threat, Sophos suggests the users who control whether their end -point protection security products implement and activate manipulation protection.
In addition, companies should practice “strong hygiene” for Windows security roles, as the attack is only possible if the striker escalates privileges they control or if they can get administrator rights.
Finally, companies should keep their systems up to date when Microsoft recently started de-certifying old signed drivers.
