A cybercrime group associated with RansomHub ransomware has introduced a new tool aimed at disabling endpoint detection and response (EDR) software on compromised systems, adding to the lineup of similar programs like AuKill and Terminator.
Sophos, a cybersecurity company, has identified the tool as EDRKillShifter, which was discovered in connection with an unsuccessful ransomware attack in May 2024.
“The EDRKillShifter tool acts as a ‘loader’ executable, delivering a vulnerable driver that can be misused, allowing for deployment of different driver payloads as per the threat actor’s needs,” explained security researcher Andreas Klopsch in a statement.
RansomHub, believed to be a rebrand of the Knight ransomware, emerged earlier this year, exploiting known vulnerabilities to gain initial access and deploy legitimate remote desktop software for persistence.
Microsoft recently disclosed that the cybercrime group dubbed Scattered Spider has integrated ransomware strains like RansomHub into their toolkit.
The EDRKillShifter, activated through command-line with a password input, unpacks and runs an obfuscated payload to exploit vulnerable drivers for disabling EDR solutions.
The author of the tool has compiled it on a system with Russian localization settings, embedding vulnerable drivers in the .data section for all unpacked EDR killers.
To counter the threat, it is advised to maintain updated systems, enable tamper protection in EDR tools, and adhere to secure Windows security practices.
Klopsch added, “Preventing this attack is feasible by enforcing the separation between user and admin privileges to deter threat actors from easily deploying drivers.”
As threat actors continue to evolve, the emergence of SbaProxy as a stealthy malware modifying legitimate antivirus binaries underscores the importance of vigilance and advanced security measures.
Stay informed with more exclusive content by following us on Twitter and LinkedIn.