EDR
Qilin Ransomware Uses Malicious DLL to Kill Almost Every Vendor’s EDR Solutions
Qilin ransomware group is deploying a sophisticated, multi-stage infection chain via a malicious msimg32.dll that can disable over 300 endpoint detection and response (EDR) drivers from virtually every major security vendor. As organizations increasingly rely on EDR solutions, which offer far greater behavioral visibility than legacy antivirus, threat actors have adapted by weaponizing EDR killers as a […]
New ‘BlackSanta’ EDR killer spotted targeting HR departments
For more than a year, a Russian-speaking threat actor targeted human resource (HR) departments with malware that delivers a new EDR killer named BlackSanta. Described as “sophisticated,” the campaign mixes social engineering with advanced evasion techniques to steal sensitive information from compromised systems. It is unclear how the attack begins, but researchers at Aryaka, a network […]
New ‘Zombie ZIP’ technique lets malware slip past security tools
A new technique dubbed “Zombie ZIP” helps conceal payloads in compressed files specially created to avoid detection from security solutions such as antivirus and endpoint detection and response (EDR) products. Trying to extract the files with standard utilities like WinRAR or 7-Zip results in errors or corrupted data. The technique works by manipulating ZIP headers to trick parsing engines into […]
EDR killer tool uses signed kernel driver from forensic software
Hackers are abusing a legitimate but long-revoked EnCase kernel driver in an EDR killer that can detect 59 security tools in attempts to deactivate them. An EDR killer is a malicious tool created specifically to bypass or disable endpoint detection and response (EDR) tools, along with other security solutions. They typically use vulnerable drivers to unhook […]
eScan confirms update server breached to push malicious update
MicroWorld Technologies, the maker of the eScan antivirus product, has confirmed that one of its update servers was breached and used to distribute an unauthorized update later analyzed as malicious to a small subset of customers earlier this month. The file was delivered to customers who downloaded updates from the regional update cluster during a […]
Ransomware IAB abuses EDR for stealthy malware execution
An initial access broker tracked as Storm-0249 is abusing endpoint detection and response solutions and trusted Microsoft Windows utilities to load malware, establish communication, and persistence in preparation for ransomware attacks. The threat actor has moved beyond mass phishing and adopted stealthier, more advanced methods that prove effective and difficult for defenders to counter, even if well documented. In […]
Ransomware gangs turn to Shanya EXE packer to hide EDR killers
Multiple ransomware gangs are using a packer-as-a-service platform named Shanya to help them deploy payloads that disable endpoint detection and response solutions on victim systems. Packer services provide cybercriminals with specialized tools to package their payloads in a way that obfuscates malicious code to evade detection by most known security tools and antivirus engines. The Shanya packer […]
New EDR-Freeze tool uses Windows WER to suspend security software
A new method and proof-of-concept tool called EDR-Freeze demonstrates that evading security solutions is possible from user mode with Microsoft’s Windows Error Reporting (WER) system. The technique eliminates the need of a vulnerable driver and puts security agents like endpoint detection and response (EDR) tools into a state of hibernation. By using the WER framework together […]
Elastic rejects claims of a zero-day RCE flaw in Defend EDR
Enterprise search and security company Elastic is rejecting reports of a zero-day vulnerability impacting its Defend endpoint detection and response (EDR) product. The company’s statement follows a blog post from a company called AshES Cybersecurity claiming to have discovered a remote code execution (RCE) flaw in Elastic Defend that would allow an attacker to bypass EDR protections. Elastic’s […]
New EDR killer tool used by eight different ransomware groups
A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of ‘EDRKillShifter,’ developed by RansomHub, has been observed in attacks by eight different ransomware gangs. Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on […]