Ethical Hacking News
Researchers from Sophos have identified a new Endpoint Detection and Response (EDR) killer tool used by eight different ransomware groups. This EDR killer tool uses a heavily obfuscated binary that is self-decoded at runtime and injected into legitimate applications, leaving security teams on high alert about the evolving nature of cyber threats.
Ransomware groups have identified a new Endpoint Detection and Response (EDR) killer tool used by eight different groups. The EDR killer tool uses a heavily obfuscated binary to search for a stolen or expired driver and achieve kernel privileges. Targeted vendors include Sophos, Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, Cylance, McAfee, F-Secure, HitmanPro, and Webroot. The tool sharing among ransomware groups is a common tactic used to evade detection. The discovery highlights the evolving nature of EDR killers and the need for security teams to stay vigilant and up-to-date with the latest security measures.
In a significant development that has left cybersecurity experts and security teams across the globe on high alert, researchers from Sophos have identified a new Endpoint Detection and Response (EDR) killer tool used by eight different ransomware groups. This EDR killer tool is considered to be the evolution of 'EDRKillShifter,' developed by RansomHub, and has been observed in attacks by RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.
The new EDR killer tool uses a heavily obfuscated binary that is self-decoded at runtime and injected into legitimate applications. The tool searches for a digitally signed (stolen or expired certificate) driver with a random five-character name, which is hardcoded into the executable. If found, the malicious driver is loaded into the kernel, as required to perform a 'bring your own vulnerable driver' (BYOVD) attack and achieve kernel privileges required to turn off security products.
The targeted vendors include Sophos, Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, Cylance, McAfee, F-Secure, HitmanPro, and Webroot. Although variants of the new EDR killer tool differ in driver names, targeted AVs, and build characteristics, they all use HeartCrypt for packing.
This tactic of tool sharing, especially in what concerns EDR killers, is common in the ransomware space. Apart from EDRKillShifter, Sophos also discovered another tool called AuKill, which Medusa Locker and LockBit used in attacks. SentinelOne also reported last year about FIN7 hackers selling their custom "AvNeutralizer" tool to multiple ransomware gangs.
The complete indicators of compromise associated with this new EDR killer tool are available on a GitHub repository. The discovery highlights the evolving nature of EDR killers, which have become increasingly sophisticated and are now being used by various threat actors to evade detection.
Sophos specifically notes that it's unlikely the tool was leaked and then reused by other threat actors, but is rather developed via a shared and collaborative framework. This collaboration among ransomware groups suggests a level of sophistication and coordination that makes them more formidable.
The discovery of this new EDR killer tool serves as a reminder to security teams of the ever-evolving nature of cyber threats. It underscores the importance of staying vigilant and up-to-date with the latest security measures, including regular software updates and rigorous monitoring of endpoint activity.
As cybersecurity experts continue to grapple with the implications of this discovery, it is essential to emphasize the critical need for collaboration and information-sharing among security professionals, researchers, and vendors. By pooling their collective expertise and resources, they can better identify emerging threats and develop effective countermeasures.
In conclusion, the emergence of this new EDR killer tool serves as a stark reminder of the ongoing cat-and-mouse game between cybersecurity professionals and ransomware threat actors. As threat actors continue to evolve and improve their tactics, it is imperative that security teams remain at the forefront of innovation, leveraging cutting-edge technology and rigorous analysis to stay ahead of the threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-EDR-Killer-Tool-Used-by-Eight-Different-Ransomware-Groups-Leaves-Security-Teams-on-High-Alert-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-edr-killer-tool-used-by-eight-different-ransomware-groups/
Published: Thu Aug 7 14:30:30 2025 by llama3.2 3B Q4_K_M
