Threat actors always seek new techniques and tools that make it easier to infiltrate an environment, persist, and perform malicious activity. One of the obstacles to this is antivirus or Endpoint Detection and Response (EDR). Rather than attempting to evade EDR detection, threat actors are increasingly implementing tools known as “EDR killers.” These tools attempt to either disable EDR completely or blind specific EDR processes, enabling actors to take over an environment unimpeded by active EDR.
One threat actor that has employed this technique is RansomHub, a ransomware-as-a-service (RaaS) affiliate program. Researchers at Sophos discovered that RansomHub had recently integrated what it calls EDRKillShifter. The tool highlights the growing sophistication of EDR killers. In the past two years, financially motivated threat actor FIN7 and the ransomware group Black Basta adopted the EDR killer AvNeutralizer tool (aka AuKill). RaaS group Alphv/BlackCat deployed a version of another EDR killer POORTRY. Yet another EDR killer, dubbed Terminator, appeared on a Russian hacking forum in June 2023.
In the past, ransomware actors have launched an EDR killer just before deploying the ransomware. Threat hunters can therefore proactively defend against potential ransomware attacks by looking for evidence of EDR killer behaviors and other precursors to ransomware events in their environment. Minutes matter in these circumstances. It’s why the ability to run more threat hunts with minimal groundwork can mean the difference between a breach and a ransomware event. We’ll explain how to do this in six steps below.
1. RansomHub profile
RansomHub is a relatively new but now prolific threat, emerging in February 2024. It counted 107 victims, primarily from North America and Europe, on its name-and-shame blog as of July. Its growth in popularity with established ransomware actors coincided with the law enforcement operation against the LockBit RaaS earlier this year. Notably, it forbids affiliates from targeting entities in China, Cuba, North Korea, Romania and Commonwealth of Independent States (CIS) countries.
While RansomHub’s tactics are similar to other RaaS programs, what sets it apart is its advanced evasion techniques and use of custom ransomware designed to target Linux, VMware ESXi hypervisor and Windows operating systems. RansomHub has been observed gaining initial access through phishing emails, unpatched vulnerabilities, and with compromised RDP, VPN and Citrix credentials.
2. Launch a hunt in seconds across multiple security platforms
To begin hunting for this threat, we can look at the threat’s tactics, techniques and procedures (TTPs). The TTPs comprise current behaviors the malware is using and are less likely to be changed by the malware’s operators. TTPs can be sourced from vendors and independent researchers. We prefer hands-on malware analysis and build Hunt Packages that tap directly into analysis by Intel 471’s Malware Intelligence and Vulnerability Intelligence teams because we can fully trust this source and know how current it is. It also enables us to update Hunt Packages on the 471HUNTER platform faster as TTPs evolve.
These TTP-based Hunt Packages enable threat hunt teams to click on pre-written queries customized for the EDR and SIEM platforms they’re using — whether it’s CrowdStrike Falcon, CarbonBlack Response, Microsoft Defender, Microsoft Sentinel, Palo Alto Cortex XDR, QRadar Query, SentinelOne, or Splunk. This broad support helps hunt teams in organizations that use multiple security tools.
These platform-specific, pre-written and pre-validated queries save weeks of effort for threat hunt teams, who don’t need to research TTPs and then write and validate unique queries for each platform. We also don’t create a massive library of “detection rules” tied to a specific threat and don’t need to create new rules for detections that overlap with other threats. That’s because one detection rule could be tied to a single artifact or indicator that is often only applicable in a moment in time. This approach could require a hunter to execute excessive rule-based hunts for one targeted threat, which is distracting and inefficient.
We also want to scale threat hunting capabilities for all threat hunters. Therefore we need to be accurate, reliable, and to minimize false positives. Before we create a Hunt Package or tag a Package to a specific threat actor, we aim to capture evidence from hands on analysis or at least two sources in the form of logs, commands, or artifacts that would be guaranteed in an attack.
These Hunt Packages allow hunters to search for evidence of relevant behaviors even in the absence of a specific detection. Hunt Packages are continuously updated based on actors adopting or employing new techniques and behaviors. Over time, we tag packages with threat actors such as RansomHub once we are confident they have used a specific behavior.
3. Hunting for EDRKillShifter
To begin hunting for this threat, we can look at TTPs detailed in Sophos’ EDRKillshifter analysis. But we also want to identify any crossover with attack chains related to other threat actors and methods used by RansomHub.
The EDRKillShifter binary loads a legitimate but vulnerable driver that can be exploited to elevate privileges and disable active EDR processes and services. This technique is often called “Bring Your Own Vulnerable Driver” or BYOVD and was also used by AuKill and Terminator. The BYOVD technique enables attackers to ship their malware with a vulnerable driver utilized by a legitimate application, drop it and exploit it for high privileges or to remain discrete in the environment.
Our threat hunters determined that the EDRKillShifter BYOVD is consistently written to one of the folders that we describe in an existing Hunt Package called Driver File Created in Temp Directory - Potential Malware Installation. This package was originally tagged with the Alphv/BlackCat actors.
Hence, we updated this Hunt Package to include coverage of EDRKillShifter and RansomHub employing the BYOVD technique. This Hunt Package is designed to identify when a file write is observed for a .sys file in the AppData\Temp Windows directory. This behavior can indicate that malware or an attacker is attempting to hide their malware as a "legitimate" driver file, or dropping a legitimate driver that is vulnerable so the attacker can gain necessary execution privileges.
It means we can say with high confidence that if your environment was affected by EDRKillShifter — and you have the proper logging and telemetry — you would be able to identify it. We want to be accurate enough to identify a behavior but not so precise in our hunt scope that we pick up false positives or miss malicious behaviors used by multiple actors or tools. In the end, threat hunters still need to manually validate evidence they find. However, this is made easier with each Hunt Package’s Analyst Notes, which provide context for the analyst to assist with attribution and show examples of what malicious activity may look like. In addition to Analyst notes, we provide emulation and validation packages in the Hunt Package for hunters to ensure they have the proper telemetry and visibility to identify the targeted behavior or technique, which can improve security posture by identifying gaps in visibility.
4. Hunt for RansomHub and other malicious behaviors
We also determined that EDRKillShifter imitates the process that was performed by the Terminator malware. Terminator is why we originally created the Driver File Created in Temp Directory - Potential Malware Installation Hunt Package.
The processes for the Terminator malware are described in the Hunt Package, Uniquely Named Driver Writes With FileNames Between 4-10 Characters - Potential Terminator Driver Write. We’ve added a RansomHub tag to this Hunt Package too. It contains query logic to identify when an environmentally unique driver name has been written to the Windows default drivers directory that ranges between 4 and 10 characters in length. Terminator malware will drop a vulnerable driver (such as the reported signed Zemana anti-malware kernel driver) and will name it a random string between 4 and 10 characters within the windows default driver folder. This technique allows the attacker to run kernel level activities via the driver.
These two Hunt Packages are part of eight Hunt Packages currently in the RansomHub Ransomware Emerging Threat Collection, which are available to anyone with a 471HUNTER subscription.
5. Tactical intelligence and attribution
When hunting for threats which may not have a detection, context is critical. We provide the context of various threats utilizing the BYOVD behavior and how they employed it within the Analyst Notes section of the Hunt Package.
Because most Hunt Packages are intended to identify a behavior or technique, and not a single malware or actor, each hunt completed by a threat hunter could identify multiple threats. While we leave the role of attribution to the threat hunter, the context in the Analysts Notes helps threat hunters review the results of the hunt and apply preliminary attribution based on how each threat has employed the behavior or technique.
But before spending time on threat attribution, the threat hunt must focus on confirming malicious activity and completing root cause analysis. At the initial analysis phase of reviewing the results of the hunt, the threat hunter is more focused on parsing benign and malicious activity, which is where our Hunt Packages aim to help. After that, the threat hunter can consider attribution.
That’s why 471HUNTER packages focus on behaviors over detections. Even if actors change their methods slightly — such as modifying a folder, file name, or binaries — to subvert detection, the hunt will still capture it.
6. Threat mitigation
The hunt is not over once malicious behavior is identified. Threat hunting is iterative. The next step in this phase of the threat hunt is mitigation, which may open new lines of inquiry and prompt new hunts. All our Hunt Packages contain mitigation recommendations for the malicious behavior. For the EDRShiftKiller-tagged Driver File Created in Temp Directory - Potential Malware Installation package, we recommend analysts who identify this behavior to review the process data related to the driver file creation or modification event.
Key recommended steps for this include:
Review the commands issued by the process which made the suspicious file, its parent process, what user or permission level the process ran as, and if there are any unusual discrepancies in the process chain.
An example of a discrepancy that warrants further investigation could be an unusual or randomly named file or parent process (bad.exe), or if the process chain appears to not be user generated in nature.
If a suspicious binary, script, or other artifact is identified in the investigation that is indicative of a nefarious action, we recommend quarantining the host from the network and initiating typical incident response measures against such an infection.
Also, search other potentially impacted hosts to determine if there are other instances of suspicious file writes to the 'C:\Windows\temp\' or 'C:\Windows\System32\drivers\' directory. Hash values, strings, and other indicators derived from the analysis of the suspicious file can be searched across the environment for the identification of other potentially impacted hosts.
Analysts can also review endpoint logs for further evidence of compromise, such as behavior indicative of file encryption, domain enumeration, privilege escalation, or lateral movement.
Please reach out to us if your team wants to learn more about operationalizing your CTI data with threat hunting scoped for behaviors you want to find. For more information on the 471HUNTER platform and threat hunting, please contact Intel 471.
