overview

Analysts from Sophos have recently observed a cybercrime group deploying a new software tool designed to shutdown Endpoint Protection and Response (EDR) within a victim environment. 

This software tool, dubbed EDRKillShifter, is used to deliver a legitimate software driver that’s been maliciously manipulated to shutdown EDR which enables the attacker to deliver their final payload, such as ransomware, spyware, etc. 

The group responsible has not been definitively identified but appears to be related to the RansomHub group. RansomHub has become more active since February of this year, when EU law enforcement disrupted the LockBit ransomware gang.  

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

At this time, there are no known IoCs associated with EDRKillShifter, however we are tracking a number of IoCs related to the RansomHub group itself.  

NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager. 

 

SHA-256 File Hashes 

  • f1a6e08a5fd013f96facc4bb0d8dfb6940683f5bdfc161bd3a1de8189dea26d3 
  • ee682488fe843d8bb826854d23b2cea73fad4969 
  • ea9f0bd64a3ef44fe80ce1a25c387b562a6b87c4d202f24953c3d9204386cf00 
  • e654ef69635ab6a2c569b3f8059b06aee4bce937afb275ad4ec77c0e4a712f23 
  • 8f59b4f0f53031c555ef7b2738d3a94ed73568504e6c07aa1f3fa3f1fd786de7 
  • 7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a 
  • 7114288232e469ff368418005049cf9653fe5c1cdcfcd63d668c558b0a3470f2 
  • 595cd80f8c84bc443eff619add01b86b8839097621cdd148f30e7e2214f2c8cb 
  • 36e5be9ed3ec960b40b5a9b07ba8e15d4d24ca6cd51607df21ac08cda55a5a8e 
  • 34e479181419efd0c00266bef0210f267beaa92116e18f33854ca420f65e2087 
  • 2f3d82f7f8bd9ff2f145f9927be1ab16f8d7d61400083930e36b6b9ac5bbe2ad 
  • 104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2 
  • 02e9f0fbb7f3acea4fcf155dc7813e15c1c8d1c77c3ae31252720a9fa7454292 

SHA-1 File Hashes 

  • ee682488fe843d8bb826854d23b2cea73fad4969 
  • e9aa4e6c514ee951665a7cd6f0b4a4c49146241d 
  • ada3a90f022fbdaee50245ecdaab6e5756d18d0d 

MD5 Files Hashes 

  • ba8763fc59d73b28b070cb6eb393aa83 
  • 8c8916d8ea8c44e383d55e919a9f989f 
  • 477293f80461713d51a98a24023d45e8  

 

TTPs TO MONITOR

1. Initial Access (TA0001): 
  • An EDR killing tool such as this still relies on the attacker establishing access to the victim network first. In absence of any vulnerabilities that allow for uninhibited remote code execution, attackers must fall back on phishing emails or other methods of social engineering. To limit potential attack vectors, ensure your systems are properly updated and your users are trained to identify phishing emails.  
2. Privilege Escalation (TA0004): 
  • Once the EDR is disabled, the attacker may attempt to escalate privileges to gain higher levels of access on the system, such as gaining administrator rights. Proper separation between user and admin privileges can help prevent attackers from easily loading drivers or otherwise escalating privileges.  

 

 

ADDITIONAL SERVICE OFFERINGS

  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).




 

SUPPORTING DOCUMENTATION

Ransomware attackers introduce new EDR killer to their arsenal 

RansomHub Group Deploys New EDR-Killing Tool in Latest Cyber Attacks 

RansomHub Ransomware - What You Need To Know 

 

Chat With One of Our Experts




EDR endpoint protection Flash Notice Sophos Blog