A brand new evaluation of endpoint detection and response (EDR) killers has revealed that 54 of them leverage a method generally known as convey your individual weak driver (BYOVD) by abusing a complete of 34 weak drivers.
EDR killer applications have been a typical presence in ransomware intrusions as they provide a means for associates to neutralize safety software program earlier than deploying file-encrypting malware. That is completed so in an try and evade detection.
“Ransomware gangs, especially those with ransomware-as-a-service (RaaS) programs, frequently produce new builds of their encryptors, and ensuring that each new build is reliably undetected can be time-consuming,” ESET researcher Jakub Souček stated in a report shared with The Hacker Information.
“More importantly, encryptors are inherently very noisy (as they inherently need to modify a large number of files in a short period); making such malware undetected is rather challenging.”
EDR killers act as a specialised, exterior element that is run to disable safety controls earlier than executing the lockers themselves, thereby holding the latter easy, secure, and straightforward to rebuild. That is to not say there haven’t been situations the place EDR termination and ransomware modules have been fused into one single binary. Reynolds ransomware is a working example.
A majority of the EDR killers depend on professional but weak drivers to achieve elevated privileges and obtain their targets. Among the many practically 90 EDR killer instruments detected by the Slovakian cybersecurity firm, greater than half of them make the most of the well-known BYOVD tactic just because it is dependable.
“The goal of a BYOVD attack is to gain kernel-mode privileges, often called Ring 0,” Bitdefender explains. “At this level, code has unrestricted access to system memory and hardware. Since an attacker cannot load an unsigned malicious driver, they ‘bring’ a driver signed by a reputable vendor (such as a hardware manufacturer or an old antivirus version) that has a known vulnerability.”
Armed with the kernel entry, risk actors can terminate EDR processes, disable safety instruments, tamper with kernel callbacks, and undermine endpoint protections. The result’s an abuse of Microsoft’s driver belief mannequin to evade defenses, profiting from the truth that the weak driver is professional and signed.
The BYOVD-based EDR killers are primarily developed by three varieties of risk actors –
- Closed ransomware teams like DeadLock and Warlock that don’t depend on associates
- Attackers forking and tweaking current proof-of-concept code (e.g., SmilingKiller and TfSysMon-Killer)
- Cybercriminals advertising and marketing such instruments on underground marketplaces as a service (e.g., DemoKiller aka Бафомет, ABYSSWORKER, and CardSpaceKiller)
ESET stated it additionally recognized script-based instruments that make use of built-in administrative instructions like taskkill, web cease, or sc delete to intrude with the common functioning of safety product processes and companies. Choose variants have additionally been discovered to mix scripting with Home windows Secure Mode.
“Since Safe Mode loads only a minimal subset of the operating system, and security solutions typically aren’t included, malware has a higher chance of disabling protection,” the corporate famous. “At the same time, such activity is very noisy, as it requires a reboot, which is risky and unreliable in unknown environments. Therefore, it is seen only rarely in the wild.”
The third class of EDR killers are anti-rootkits, which embrace professional utilities akin to GMER, HRSword, and PC Hunter, that supply an intuitive consumer interface to terminate protected processes or companies. A fourth, rising class is a set of driverless EDR killers like EDRSilencer and EDR-Freeze that block outbound site visitors from EDR options and trigger the applications to enter a “coma” like state.
“Attackers aren’t putting much effort into making their encryptors undetected,” ESET stated. “Rather, all the sophisticated defense-evasion techniques have shifted to the user-mode components of EDR killers. This trend is most visible in commercial EDR killers, which often incorporate mature anti-analysis and anti-detection capabilities.”
To fight ransomware and EDR killers, blocking generally misused drivers from loading is a mandatory protection mechanism. Nevertheless, provided that EDR killers are executed solely on the final stage and simply earlier than launching the encryptor, a failure at this stage means the risk actor can simply swap to a different instrument to perform the identical job.
The implication is that organizations want layered defenses and detection methods in place to proactively monitor, flag, comprise, and remediate the risk at every each stage of the assault lifecycle.
“EDR killers endure because they’re cheap, consistent, and decoupled from the encryptor – a perfect fit for both encryptor developers, who don’t need to focus on making their encryptors undetectable, and affiliates, who possess an easy-to-use, powerful utility to disrupt defenses prior to encryption,” ESET stated.
