Your antivirus is under attack from new "killer" tool - here's what we know

News
By published

EDRKillShifter was targeting some of the most popular AV around

Secure technology. Polygonal wireframe shield with check mark sign on dark blue. Secure service, protect data, cyber shield, antivirus solution, internet safety, firewall system, privacy
(Image credit: Shutterstock)
  • EDRKillShifter is getting a dangerous upgrade
  • The new malware can disable AV and EDR from reputable vendors
  • Sophos, Bitdefender, and Kaspersky among the tools being targeted

Cybercriminals appear to have improved their antivirus-killing capabilities, as recent research suggest a new tool being shared within the underground community.

In a new report, security researchers from Sophos said multiple ransomware groups are successfully disabling endpoint detection and response (EDR) systems before deploying the encryptor.

Originally, the group known as RansomHub developed a tool called EDRKillShifter, which Sophos says is now made obsolete thanks to this new and improved variant. The new tool can disable security software from multiple high-end vendors such as Sophos, Bitdefender, and Kaspersky.

Shifting strategies

The malware is often packed using a service called HeartCrypt, which obfuscates the code to evade detection.

Sophos found the attackers are using all sorts of obfuscation and anti-analysis techniques to protect their tools from security defenders, and in some cases, they’re even using signed drivers (either stolen or compromised).

In one case, the malicious code was embedded inside a legitimate utility, Beyond Compare’s Clipboard Compare tool, the researchers explained.

Sophos also said that multiple ransomware groups are using this new EDR-killing tool, suggesting a high level of collaboration between players.

EDRKillShifter was first spotted in mid-2024, after a failed attempt to disable an antivirus and deploy ransomware.

Sophos then uncovered that the malware dropped a legitimate, but vulnerable driver.

Now, it seems there is a new method - taking an already legitimate executable and modifying it locally by inserting malicious code and payload resources (as was the case with Beyond Compare’s tool). This is often done after the attacker has access to a victim’s machine, or when creating a malicious package that pretends to be legitimate.

To defend against this threat, Sophos suggests users check whether their endpoint protection security products implement, and enable, tamper protection.

Furthermore, businesses should practice “strong hygiene” for Windows security roles, since the attack is only possible if the attacker escalates privileges they control, or if they can obtain admin rights.

Finally, businesses should keep their systems updated, as Microsoft recently started de-certifying old signed drivers.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.