- EDRKILLSHIFTER is obtaining a dangerous update
- The new malware can disable AV and EDR of good reputation suppliers
- Sofos, Bitdefender and Kaspersky between the tools that are being directed
Cybercounts seem to have improved their abilities to kill antivirus, since recent research suggests that a new tool is shared within the underground community.
In a new report, Sophos security researchers said that multiple ransomware groups are successfully disabled detection and response systems (EDR) before implementing the encrucador.
Originally, the group known as Ransomhub developed a tool called Erdkillshifter, which according to Sophos is now obsolete thanks to this new and improved variant. The new tool can disable multiple high -end suppliers safety software such as Sofos, Bitdefender and Kaspersky.
Change strategies
Malware is often packaged using a service called HeartCrypt, which obfusca the code to evade detection.
Sofos discovered that attackers are using all kinds of obfuscation and anti-analysis techniques to protect their tools from security defenders and, in some cases, are even using signed controllers (stolen or committed).
In one case, the malicious code was integrated into a legitimate utility, beyond the comparison clip comparison tool, the researchers explained.
Sofos also said that multiple ransomware groups are using this new EDR killing tool, suggesting a high level of collaboration between players.
Edurkillshifter was first seen in mid -2024, after a failed attempt to disable an antivirus and deploy ransomware.
Then, Sopos discovered that the malware dropped a legitimate but vulnerable controller.
Now, it seems that there is a new method: to take an already legitimate executable and modify it locally inserting malicious code and payload resources (as was the case with the Beyond compare tool). This is often done after the attacker has access to the machine of a victim, or when creating a malicious package that aims to be legitimate.
To defend themselves with this threat, Sofos suggests that users verify whether their final point protection products implement and enable manipulation protection.
In addition, companies must practice “strong hygiene” for Windows security roles, since the attack is only possible if the attacker increases the privileges they control, or if they can obtain administration rights.
Finally, companies should maintain their updated systems, since Microsoft recently began to highlight the old signed controllers.
