Flash Notice: New Endpoint Killing Tool Observed

Written by Marketing | Aug 16, 2024 4:13:24 PM

overview

Analysts from Sophos have recently observed a cybercrime group deploying a new software tool designed to shutdown Endpoint Protection and Response (EDR) within a victim environment.

This software tool, dubbed EDRKillShifter, is used to deliver a legitimate software driver that’s been maliciously manipulated to shutdown EDR which enables the attacker to deliver their final payload, such as ransomware, spyware, etc.

The group responsible has not been definitively identified but appears to be related to the RansomHub group. RansomHub has become more active since February of this year, when EU law enforcement disrupted the LockBit ransomware gang.

how avertium is protecting our customers

IOCs ADDED TO OUR THREAT FEEDS

At this time, there are no known IoCs associated with EDRKillShifter, however we are tracking a number of IoCs related to the RansomHub group itself.

NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager.

SHA-256 File Hashes

f1a6e08a5fd013f96facc4bb0d8dfb6940683f5bdfc161bd3a1de8189dea26d3
ee682488fe843d8bb826854d23b2cea73fad4969
ea9f0bd64a3ef44fe80ce1a25c387b562a6b87c4d202f24953c3d9204386cf00
e654ef69635ab6a2c569b3f8059b06aee4bce937afb275ad4ec77c0e4a712f23
8f59b4f0f53031c555ef7b2738d3a94ed73568504e6c07aa1f3fa3f1fd786de7
7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a
7114288232e469ff368418005049cf9653fe5c1cdcfcd63d668c558b0a3470f2
595cd80f8c84bc443eff619add01b86b8839097621cdd148f30e7e2214f2c8cb
36e5be9ed3ec960b40b5a9b07ba8e15d4d24ca6cd51607df21ac08cda55a5a8e
34e479181419efd0c00266bef0210f267beaa92116e18f33854ca420f65e2087
2f3d82f7f8bd9ff2f145f9927be1ab16f8d7d61400083930e36b6b9ac5bbe2ad
104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2
02e9f0fbb7f3acea4fcf155dc7813e15c1c8d1c77c3ae31252720a9fa7454292

SHA-1 File Hashes

ee682488fe843d8bb826854d23b2cea73fad4969
e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
ada3a90f022fbdaee50245ecdaab6e5756d18d0d

MD5 Files Hashes

ba8763fc59d73b28b070cb6eb393aa83
8c8916d8ea8c44e383d55e919a9f989f
477293f80461713d51a98a24023d45e8

TTPs TO MONITOR

1. Initial Access (TA0001):

An EDR killing tool such as this still relies on the attacker establishing access to the victim network first. In absence of any vulnerabilities that allow for uninhibited remote code execution, attackers must fall back on phishing emails or other methods of social engineering. To limit potential attack vectors, ensure your systems are properly updated and your users are trained to identify phishing emails.

2. Privilege Escalation (TA0004):

Once the EDR is disabled, the attacker may attempt to escalate privileges to gain higher levels of access on the system, such as gaining administrator rights. Proper separation between user and admin privileges can help prevent attackers from easily loading drivers or otherwise escalating privileges.

ADDITIONAL SERVICE OFFERINGS

Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:
- Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment).
- Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK).
- Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).

SUPPORTING DOCUMENTATION

Ransomware attackers introduce new EDR killer to their arsenal

RansomHub Group Deploys New EDR-Killing Tool in Latest Cyber Attacks

RansomHub Ransomware - What You Need To Know

View full post