Your antivirus is under attack from new “killer” tool – here’s what we know
- EDRKillShifter is getting a dangerous upgrade
- The new malware can disable AV and EDR from reputable vendors
- Sophos, Bitdefender, and Kaspersky among the tools being targeted
Cybercriminals appear to have improved their antivirus-killing capabilities, as recent research suggest a new tool being shared within the underground community.
In a new report, security researchers from Sophos said multiple ransomware groups are successfully disabling endpoint detection and response (EDR) systems before deploying the encryptor.
Originally, the group known as RansomHub developed a tool called EDRKillShifter, which Sophos says is now made obsolete thanks to this new and improved variant. The new tool can disable security software from multiple high-end vendors such as Sophos, Bitdefender, and Kaspersky.
You may like
-
-
-
Shifting strategies
The malware is often packed using a service called HeartCrypt, which obfuscates the code to evade detection.
Sophos found the attackers are using all sorts of obfuscation and anti-analysis techniques to protect their tools from security defenders, and in some cases, they’re even using signed drivers (either stolen or compromised).
In one case, the malicious code was embedded inside a legitimate utility, Beyond Compare’s Clipboard Compare tool, the researchers explained.
Sophos also said that multiple ransomware groups are using this new EDR-killing tool, suggesting a high level of collaboration between players.
EDRKillShifter was first spotted in mid-2024, after a failed attempt to disable an antivirus and deploy ransomware.
Sophos then uncovered that the malware dropped a legitimate, but vulnerable driver.
Now, it seems there is a new method – taking an already legitimate executable and modifying it locally by inserting malicious code and payload resources (as was the case with Beyond Compare’s tool). This is often done after the attacker has access to a
Be the first to write a comment.
