Shared secret EDR killer in the kill chain
In today’s multi-stage attacks, neutralizing endpoint security solutions is a critical step in the process, allowing threat actors to operate undetected. Since 2022, we’ve seen an increase in the sophistication of malware designed to disable EDR systems on an infected system.
Some of these tools are developed by ransomware groups. Others are purchased from underground marketplaces – evidence of this was found in the leaked chat logs of the Black Basta group. In many cases, packer-as-a-service offerings such as HeartCrypt are used to obfuscate the tools.
EDRKillShifter was created by the RansomHub group and later made obsolete by a new tool, which will be detailed in this post. In addition, we’ll look at the evidence for tool sharing and technical knowledge transfer among ransomware groups using different builds of the described tool.