3 Minutes
Overview: a new threat against endpoint protection
Cybersecurity researchers have identified a new underground tool that effectively neutralizes endpoint detection and response (EDR) and antivirus software before ransomware is deployed. According to a recent analysis by Sophos, several ransomware groups are already using this enhanced EDR-killer to disable protection from major vendors, including Sophos, Bitdefender and Kaspersky. This represents a worrying evolution in malware designed specifically for antivirus bypass and privileged escalation.
How the EDR-killer works
Packaging and obfuscation
The malware is frequently packed with obfuscation services such as HeartCrypt to evade signature-based detection and automated analysis. Attackers employ multiple anti-analysis techniques and even abuse signed drivers — some stolen or compromised — to gain trusted execution on Windows hosts.
Living-off-the-land and executable tampering
Researchers observed a shift from dropping vulnerable drivers to directly modifying legitimate executables. In one case, the attackers injected malicious payloads into Beyond Compare’s Clipboard Compare utility, creating a binary that appears legitimate but contains malicious resources. This method enables attackers to craft seemingly authentic installers or tools that bypass casual inspection.
Product features, comparisons and advantages of the new tool
- Multi-vendor impact: Unlike earlier variants such as EDRKillShifter, the new tool targets multiple high-end EDR and antivirus platforms, increasing its utility for different ransomware groups.
- Improved stealth: Packing, code obfuscation and use of signed components give it an operational advantage over older techniques.
- Reusability: The tool is shared within underground communities, accelerating adoption and refinement across threat actors.
Compared to the original EDRKillShifter (first seen mid-2024), the latest variant avoids relying solely on vulnerable drivers and instead modifies trusted executables, making detection and attribution harder for defenders.
Use cases and market relevance
This tool is primarily employed in pre-ransomware stages: initial access, privilege escalation and security disablement. Organizations in critical infrastructure, healthcare, finance and MSPs are particularly at risk due to the high payoff for attackers. For cybersecurity vendors and incident response providers, the rise of EDR-killers underscores demand for advanced threat intelligence, runtime protection, and behavior-based detection.
Mitigation: practical defenses for teams
- Enable tamper protection: Confirm that endpoint protection products have tamper protection or self-defense enabled to prevent local modification.
- Enforce least privilege and secure Windows roles: Strong account hygiene and limiting administrative rights reduce the chance attackers can escalate privileges.
- Keep systems and drivers updated: Microsoft has begun de-certifying old signed drivers; patching and deprecating legacy drivers limits abuse of signed components.
- Monitor for anomalous executable modification and code-signing anomalies: Behavioral EDR, driver integrity monitoring and file integrity checks help detect tampering.
Final takeaway
The emergence of a more capable EDR-killer highlights a growing collaboration among ransomware groups and the weaponization of legitimate tools. Organizations should harden endpoint configurations, enforce privilege controls, and invest in behavior-focused detection to stay ahead of antivirus-bypassing threats.
Source: techradar
Comments