.webp)
Sophos researchers found that the malware can deliver various driver payloads based on the attackers' needs
The new malware, "EDRKillShifter," was released by the ransomware group RansomHub with the intention of disabling Endpoint Detection and Response (EDR) security software through Bring Your Own Vulnerable Driver (BYOVD) attacks. The malware, discovered by Sophos researchers during a May 2024 investigation, utilizes a legitimate but vulnerable driver on targeted systems to escalate privileges, disable security defenses, and gain control.
EDRKillShifter follows a three-step process: it decrypts and executes an embedded resource in memory, unpacks the final payload, and exploits a vulnerable driver to disable active EDR processes. Sophos researchers found that the malware can deliver various driver payloads based on the attackers' needs and that its compilation suggests a Russian localization. During the May incident, the malware attempted to terminate Sophos protection, but failed when the endpoint agent’s CryptoGuard feature was triggered. The attackers' attempts to execute ransomware on the compromised machine were also thwarted. Sophos discovered two EDRKillShifter samples that both took advantage of vulnerable drivers with proof-of-concept exploits on GitHub. The malware’s ability to terminate security processes using legitimate drivers highlights a growing trend among ransomware operators and state-backed groups.
Sophos advises enabling tamper protection in security products, maintaining a clear separation between user and admin privileges, and keeping systems updated. The discovery of EDRKillShifter follows last year’s revelation of AuKill, another EDR-killing malware used in Medusa Locker and LockBit ransomware attacks. This latest development underscores the need for heightened vigilance against sophisticated malware designed to bypass traditional security measures.
.webp)
