- Edrkillshifter gets a dangerous upgrade
- The new malicious software can deactivate Av and EDR of renowned suppliers
- Sophos, Bitdefender and Kaspersky among the targeted tools
Cybercriminals seem to have improved their capacities as antivirus killers, as recent research suggests that a new tool is shared within the underground community.
In a new report, Sophos security researchers said that several ransomware groups invalidate detection and response systems (EDR) (EDR) before deploying the cryptor.
Originally, the group known as Ransomhub developed a tool called Edrkillshifter, which, according to Sophos, is now obsolete thanks to this new improved variant. The new tool can deactivate security software from several high -end suppliers such as Sophos, Bitdefender and Kaspersky.
Changing strategies
Malware is often wrapped using a service called Heartcrypt, which obscures the code to escape detection.
Sophos found that attackers use all kinds of obscure and anta-analysis techniques to protect their tools against security defenders, and in some cases, they even use signed drivers (stolen or compromise).
In a case, the malicious code was integrated into a legitimate utility, beyond the tool to compare the comparison clipboard, the researchers explained.
Sophos also said that several ransomware groups use this new tool to kill EDR, suggesting a high level of collaboration between players.
Edrkillshifter was spotted for the first time in mid-2010, after a failed attempt to deactivate an antivirus and deploy ransomware.
Sophos then discovered that malicious software had dropped a legitimate but vulnerable pilot.
Now, it seems that there is a new method – by taking an already legitimate executable and by modifying it locally by inserting code and payload resources (as was the case with the Beyond compare). This is often done after the attacker has access to the machine of a victim, or when creating a malicious whole who claims to be legitimate.
To defend themselves against this threat, Sophos suggests that users check if their safety protection products of termination points implement and allow the protection of falsification.
In addition, companies should practice a “strong hygiene” for Windows safety roles, because the attack is only possible if the attacker degenerates the privileges they control, or if they can obtain administrative rights.
Finally, companies should keep their systems up to date, because Microsoft has recently started to award the former signed pilots.