Ransomware gang deploys new malware to kill security software

pMicrosoft rereleases Exchange updates after fixing mail deliveryppSpyLoan Android malware on Google play installed 8 million timesppNew Windows Server 2012 zeroday gets free unofficial patchesppTor needs 200 new WebTunnel bridges to fight censorshipppMozilla really wants you to easily set Firefox as default Windows browserppIts only 50 to train for these CompTIA exams in this course dealppGoogle Chromes AI feature lets you quickly check website trustworthinessppNovel phising campaign uses corrupted Word documents to evade securityppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppRansomHub ransomware operators are now deploying new malware to disable Endpoint Detection and Response EDR security software in Bring Your Own Vulnerable Driver BYOVD attacksppNamed EDRKillShifter by Sophos security researchers who discovered it during a May 2024 ransomware investigation the malware deploys a legitimate vulnerable driver on targeted devices to escalate privileges disable security solutions and take control of the systemppThis technique is very popular among various threat actors ranging from financially motivated ransomware gangs to statebacked hacking groupsppDuring the incident in May the threat actors we estimate with moderate confidence that this tool is being used by multiple attackers attempted to use EDRKillShifter to terminate Sophos protection on the targeted computer but the tool failed said Sophos threat researcher Andreas KlopschppThey then attempted to run the ransomware executable on the machine they controlled but that also failed when the endpoint agents CryptoGuard feature was triggeredppWhile investigating Sophos discovered two different samples both with proofofconcept exploits available on GitHub one exploiting a vulnerable driver known as RentDrv2 and another exploiting a driver called ThreatFireMonitor a component of a deprecated systemmonitoring packageppSophos also found that EDRKillShifter can deliver various driver payloads based on the attackers needs and that the malwares language property suggests it was compiled on a computer with Russian localizationppThe loaders execution involves three steps first the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded resource named BIN in memory This code then unpacks and executes the final payload which drops and exploits a vulnerable legitimate driver to escalate privileges and disable active EDR processes and servicesppAfter the malware creates a new service for the driver starts the service and loads the driver it enters an endless loop that continuously enumerates the running processes terminating processes if their name appears in a hardcoded list of targets Klopsch addedppIt is also worth noting that both variants exploit legitimate though vulnerable drivers using proofofconcept exploits available on Github We suspect that the threat actors copied portions of these proofsofconcept modified them and ported the code to the Go languageppSophos recommends enabling tamper protection in endpoint security products maintaining a separation between user and admin privileges to prevent attackers from loading vulnerable drivers and keeping systems updated given that Microsoft keeps decertifying signed drivers known to have been misused in previous attacksppLast year Sophos spotted another EDRkilling malware dubbed AuKill which abused a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks AuKill is similar to an opensource tool known as Backstab which also exploits a vulnerable Process Explorer driver and has been used by the LockBit gang in at least one attack observed by Sophos XOpsppBologna FC confirms data breach after RansomHub ransomware attackppNew Ymir ransomware partners with RustyStealer in attacksppHalliburton reports 35 million loss after ransomware attackppRussia arrests cybercriminal Wazawaka for ties with ransomware gangsppHelldown ransomware exploits Zyxel VPN flaw to breach networksppI have tamper proof enabled in my Malwarebytes program setting ppNot a member yet Register NowppNew Windows Server 2012 zeroday gets free unofficial patchesppNew Rockstar 2FA phishing service targets Microsoft 365 accountsppSpyLoan Android malware on Google play installed 8 million timesppWhy Cybersecurity Leaders Trust the MITRE ATTCK EvaluationsppHow to leverage 200 million FCC program boosting K12 cybersecurityppSolving the painful password problem with better policiesppThe Actual Cost of Forgotten PasswordsppCynet delivers 426 ROI in Forrester Total Economic Impact StudyppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2024 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp