54 EDR Killers Use BYOVD to Exploit 34 Vulnerable Signed Drivers and Disable Security
A new analysis of endpoint detection and response (EDR) killers revealed that 54 of them used a strategy known as bring your own vulnerable driver (BYOVD) by exploiting a total of 34 vulnerable drivers.
EDR kill programs have been a common presence in ransomware attacks as they provide a way for hackers to disable security software before installing file-encrypting malware. This is done in an effort to avoid detection.
“Ransomware gangs, especially those with ransomware-as-a-service (RaaS) systems, often produce new builds for their authors, and ensuring that new builds are reliably undetectable can be time-consuming,” said ESET researcher Jakub Souček in a report shared with The Hacker News.
“More importantly, encryptors are inherently very noisy (as they naturally need to change a large number of files in a short time); making such malware invisible is a challenge.”
EDR killers act as a special, external component used to disable security controls before locking the lockers themselves, thus keeping the locker simple, stable, and easy to rebuild. That’s not to say that there haven’t been cases where EDR termination and ransomware modules have been bundled into a single binary. Reynolds ransomware is an example.
Most EDR killers rely on legitimate but insecure drivers to gain privileges and achieve their goals. Among the nearly 90 EDR killing tools found by the Slovakian cybersecurity company, more than half of them used the BYOVD tactic, which is well-known simply because it is reliable.
“The purpose of the BYOVD attack is to gain privileges in kernel mode, often called Ring 0,” Bitdefender explained. “At this level, the code has unrestricted access to system memory and hardware. Since an attacker cannot load an unregistered malicious driver, he ‘delivers’ a driver signed by a reputable vendor (such as a hardware manufacturer or an old version of antivirus) with a known vulnerability.”
Armed with kernel access, malicious actors can interrupt EDR processes, disable security tools, disrupt kernel execution, and undermine endpoint protection. The result is to abuse Microsoft’s driver trust model to avoid protection, taking advantage of the fact that the vulnerable driver is legitimate and signed.
BYOVD-based EDR killers are primarily developed for three types of threat actors –
- Closed ransomware groups such as DeadLock and Warlock do not rely on proxies
- Attackers hack and modify existing proof-of-concept code (eg, SmilingKiller and TfSysMon-Killer)
- Cybercriminalsmarket such tools on underground markets as a service (eg, DemoKiller aka Бафомет, ABYSWORKER, and CardSpaceKiller)
ESET said it also identified script-based tools that use built-in administrative commands such as taskkill, net stop, or sc delete to disrupt the normal operation of security product processes and services. A different option is also available to combine text with Windows Safe Mode.
“Since Safe Mode only loads a small set of operating systems, and security solutions are usually not installed, malware has a high chance of disabling protection,” the company notes. “At the same time, such work is very noisy, as it requires restarting, which is dangerous and unreliable in unknown places. Therefore, it is only slightly visible in the wild.”
The third category of EDR killers are anti-rootkits, which include official utilities such as GMER, HRSword, and PC Hunter, which provide a user interface to terminate protected processes or services. The fourth category, emerging is a set of driverless EDR killers such as EDRSilencer and EDR-Freeze that block outgoing traffic from EDR solutions and cause systems to go into a “sleep” like state.
“Attackers don’t put much effort into making their authors invisible,” ESET said. “Instead, all the sophisticated evasion methods have shifted to the user-mode components of EDR killers. This trend is most evident in commercial EDR killers, which often include advanced analytics and anti-detection capabilities.”
To combat ransomware and EDR killers, blocking commonly misused drivers from loading is a necessary defense. However, given that EDR killers are only executed at the last stage and just before launching the encryptor, failure at this stage means that a threat actor can easily switch to another tool to accomplish the same task.
The implication is that organizations need layered defenses and detection strategies in place to monitor, flag, contain, and remediate a threat at every stage of the attack lifecycle.
“EDR killers endure because they are cheap, flexible, and isolated from the encryptor – a perfect fit for both encryptor developers, who don’t need to focus on making their encryptors invisible, and affiliates, who have an easy-to-use, powerful system to compromise defenses before encryption,” ESET said.
