Mastouille

0 message0 participant0 message aujourd’hui

ESET Research<a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ESETresearch</a> discovered previously unknown links between the <a href="https://infosec.exchange/tags/RansomHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RansomHub</a>, <a href="https://infosec.exchange/tags/Medusa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Medusa</a>, <a href="https://infosec.exchange/tags/BianLian" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BianLian</a>, and <a href="https://infosec.exchange/tags/Play" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Play</a> ransomware gangs, and leveraged <a href="https://infosec.exchange/tags/EDRKillShifter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDRKillShifter</a> to learn more about RansomHub’s affiliates. @SCrow357 <a href="https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/</a> RansomHub emerged in February 2024 and in just three months reached the top of the ransomware ladder, recruiting affiliates from disrupted <a href="https://infosec.exchange/tags/LockBit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LockBit</a> and <a href="https://infosec.exchange/tags/BlackCat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlackCat</a>. Since then, it dominated the ransomware world, showing similar growth as LockBit once did. Previously linked to North Korea-aligned group <a href="https://infosec.exchange/tags/Andariel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Andariel</a>, Play strictly denies operating as <a href="https://infosec.exchange/tags/RaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RaaS</a>. We found its members utilized RansomHub’s EDR killer EDRKillShifter, multiple times during their intrusions, meaning some members likely became RansomHub affiliates. BianLian focuses on extortion-only attacks and does not publicly recruit new affiliates. Its access to EDRKillShifter suggests a similar approach as Play – having trusted members, who are not limited to working only with them. Medusa, same as RansomHub, is a typical RaaS gang, actively recruiting new affiliates. Since it is common knowledge that affiliates of such RaaS groups often work for multiple operators, this connection is to be expected. Our blogpost also emphasizes the growing threat of EDR killers. We observed an increase in the number of such tools, while the set of abused drivers remains quite small. Gangs such as RansomHub and <a href="https://infosec.exchange/tags/Embargo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Embargo</a> offer their killers as part of the affiliate program. IoCs available on our GitHub: <a href="https://github.com/eset/malware-ioc/tree/master/ransomhub" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/eset/malware-ioc/tree/master/ransomhub</a>

Hygiène2SurfNouvelle technique de piratage qui utilise les outils d’accessibilité Windows pour échapper aux antivirus <a href="https://whiteandhack.wordpress.com/2024/12/13/nouvelle-technique-de-piratage-qui-utilise-les-outils-daccessibilite-windows-pour-echapper-aux-antivirus/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://whiteandhack.wordpress.com/2024/12/13/nouvelle-technique-de-piratage-qui-utilise-les-outils-daccessibilite-windows-pour-echapper-aux-antivirus/</a> <a href="https://mastodon.social/tags/Antivirus" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Antivirus</a>, <a href="https://mastodon.social/tags/EDRKillShifter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDRKillShifter</a>, <a href="https://mastodon.social/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a>, <a href="https://mastodon.social/tags/Piratage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Piratage</a>, <a href="https://mastodon.social/tags/Ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ransomware</a>, <a href="https://mastodon.social/tags/Technique" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Technique</a>, <a href="https://mastodon.social/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Windows</a>

Sophos X-OpsWhile the <a href="https://infosec.exchange/tags/EDRKillShifter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDRKillShifter</a> tool failed to work on machines in the field protected by our software, we did manage to get it to successfully run in a lab environment by disabling the tamper protection for Sophos endpoint protection tools. Only with tamper protection disabled was this tool able to kill a process we protected. 6/

Sophos X-OpsThe two drivers we've seen abused are known in the industry as <a href="https://infosec.exchange/tags/BYOVD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BYOVD</a> payloads. One is a file called RentDrv2 (hosted on <a href="https://github.com/keowu/BadRentdrv2" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/keowu/BadRentdrv2</a>) and the other is named ThreatFireMonitor (also on Github, with a proof of concept at <a href="https://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer</a>). No matter which driver gets used, <a href="https://infosec.exchange/tags/EDRKillShifter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDRKillShifter</a> writes them out to the %temp% directory using a random 10-digit filename. 5/

Sophos X-OpsAs it executes, <a href="https://infosec.exchange/tags/EDRKillShifter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDRKillShifter</a> loads an embedded, encrypted resource into memory. That code extracts the next layer of tool, the abusable <a href="https://infosec.exchange/tags/BYOVD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BYOVD</a> driver and a <a href="https://infosec.exchange/tags/Go" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Go</a> binary. It uses a SHA-256 hash of the initial password (used to execute the tool) as a decryption key for these second-layer payloads. 4/

Sophos X-OpsThe <a href="https://infosec.exchange/tags/EDRKillShifter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDRKillShifter</a> utility is a <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> loader designed to deploy one of several different exploitable, legitimate <a href="https://infosec.exchange/tags/BYOVD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BYOVD</a> drivers and abuse them to kill a wide range of endpoint protection. We've observed it used in a few recent incidents, so we wanted to spotlight how it works. 2/

Sophos X-OpsWhen the threat actors behind the RansomHub <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ransomware</a> want to attack a target, they go to some lengths to prevent EDR or endpoint protection software from ruining their day. The latest blog from <a href="https://infosec.exchange/tags/Sophos" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Sophos</a> <a href="https://infosec.exchange/tags/XOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#XOps</a> investigates how they do that, using a tool we call <a href="https://infosec.exchange/tags/EDRKillShifter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDRKillShifter</a> <a href="https://news.sophos.com/en-us/edr-kill-shifter/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://news.sophos.com/en-us/edr-kill-shifter/</a>

Recherches récentes

Options de recherche

Administré par :

Statistiques du serveur :

#edrkillshifter