Ransomhub, a notorious cybercrime group, has recently been using a new type of malicious software to target devices and bypass security measures. This new tool, known as Edrkillshifter, was discovered by experts at Sophos following an attempted attack in May 2024.
Edrkillshifter is a loader program that enables a technique called Bring Your Own Vulnerable Driver (BYOVD). This method utilizes a legitimate, yet vulnerable driver to escalate privileges, disable security safeguards, and gain full control of the targeted system.
Sophos researchers uncovered two different versions of Edrkillshifter, both utilizing publicly available Proof of Concept (POC) code on GitHub. One version exploits the vulnerable Rentdrv2 driver, while the other targets the Threatfiremonitor driver, which is a component of outdated system monitoring tools. Depending on the attackers’ needs, Edrkillshifter is capable of loading various drivers.
The deployment of Edrkillshifter involves three main stages. Firstly, the attacker runs a binary file with a decryption password, which unpacks and executes a built-in BIN resource in memory. This process ultimately loads the vulnerable driver to escalate privileges, disable active processes, and evade detection by EDR systems.
Once the malicious driver is loaded, Edrkillshifter creates a new service for the driver, starts it, and continually monitors running processes. If any processes match the encrypted list of targets, the malware terminates them in an ongoing cycle.
Sophos advises enhancing protection against hacking in security products, enforcing user and administrator role separation to prevent the loading of vulnerable drivers, and regularly updating systems. Microsoft’s frequent revocation of certificates for signed drivers used in past attacks highlights the importance of staying up-to-date with system security.