EDRKillShifter utilizes publicly known driver vulnerabilities, a common tactic among malware designed to disrupt EDR functionality. RansomHub, a tool that has rapidly gained popularity among ransomware actors, is being deployed in conjunction with EDRKillShifter, signaling the potential for this malware to become a significant threat. However, Sophos notes that while EDRKillShifter is dangerous, it can be mitigated with appropriate security measures.
The malware requires the attacker to have elevated privileges on the target machine. Once these privileges are obtained, the attacker can execute EDRKillShifter via the command line, initiating a complex process that includes entering a password to activate the malware. EDRKillShifter then obfuscates its activities using self-modifying code and various EDR killers, written in Go and further obfuscated.
If EDRKillShifter successfully embeds itself into the system’s memory, it deploys one of two payloads designed to create a new service for the compromised driver. This service then forces the driver into an endless loop, effectively disabling any security measures that rely on it.
Sophos recommends that the best defense against EDRKillShifter is to maintain good Windows security practices. This includes separating user and administrator roles, enabling tamper protection on EDR software, and keeping all systems and drivers up to date. Despite these precautions, the close association with RansomHub suggests that this threat should be closely monitored.
Source: The Register
The European Cyber Intelligence Foundation is a nonprofit think tank specializing in intelligence and cybersecurity, offering consultancy services to government entities. To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.