In right this moment’s multi-stage assaults, neutralizing endpoint safety options is a crucial step within the course of, permitting menace actors to function undetected. Since 2022, we’ve seen a rise within the sophistication of malware designed to disable EDR programs on an contaminated system.
A few of these instruments are developed by ransomware teams. Others are bought from underground marketplaces – proof of this was discovered within the leaked chat logs of the Black Basta group. In lots of circumstances, packer-as-a-service choices equivalent to HeartCrypt are used to obfuscate the instruments.
EDRKillShifter was created by the RansomHub group and later made out of date by a brand new device, which will probably be detailed on this publish. As well as, we’ll take a look at the proof for device sharing and technical data switch amongst ransomware teams utilizing completely different builds of the described device.
AVKiller
We’ll focus first on one particular payload, an AV killer device, discovered among the many 1000’s of payloads within the HeartCrypt packed samples. In a number of circumstances, the detection of this device occurred throughout an ongoing ransomware assault. Different defenders have seen proof of this device, notably Cylerian, as proven in Determine 1. There’s doable proof of an early model detailed in a Palo Alto Networks publish from January 2024.
Determine 1: Cylerian notes exercise attributable to the device in query
In a single specific instance we noticed the EDR killer file uA8s.exe (SHA-1: 2bc75023f6a4c50b21eb54d1394a7b8417608728) was created by inserting malicious content material into the Clipboard Examine device in Past Examine, a legit utility from Scooter Software program. (We alerted Scooter Software program to the abuse previous to publication of this publish, and so they confirmed to us that their installer, executables, and DLL are all code-signed.) The loader code was injected close to the entry level, and the malicious payload and extra loader parts had been inserted as assets. Upon execution, the payload decodes itself – it’s, in actual fact, a closely protected executable. The substantial safety on the executable is amongst 5 vital traits we famous about it:
- The code is closely protected.
- It seems for a driver with a five-letter random identify.
- The motive force is signed with a compromised certificates.
- It targets a number of safety distributors.
- The checklist of targets varies amongst samples.
The reminiscence dump reveals the executable to be an AV killer, which on this particular case targets Sophos merchandise.
Determine 2: An excerpt from the reminiscence dump, displaying Sophos merchandise being focused
There are numerous completely different variations of this device. The precise checklist of focused safety merchandise varies extensively between them — typically just one or two are particularly focused, different occasions a bigger checklist:
Determine 3: An additional excerpt from the reminiscence dump, displaying different merchandise the device targets
It additionally makes an attempt to kill processes equivalent to MsMpEng.exe, SophosHealth.exe, SAVService.exe, and sophosui.exe:
Determine 4: An inventory of processes focused by the device
We famous a protracted checklist of safety merchandise focused by one or one other model of the killer:
- Bitdefender
- Cylance
- Fset
- F-Safe
- Fortinet
- HitManPro
- Kaspersky
- McAfee
- Microsoft
- SentinelOne
- Sophos
- Symantec
- Development Micro
- Webroot
The file searches for a driver file mraml.sys (the one we noticed had a hash of SHA-1: 21a9ca6028992828c9c360d752cb033603a2fd93). When it finds it, it masses the motive force and terminates the processes and companies from the goal checklist. The identify of the SYS file is hardcoded into the executable. It’s apparently random and completely different in every pattern.
Determine 5: Capabilities within the device
If the sys file is just not current, the executable file doesn’t proceed and throws the error “Did not get gadget”, however creates a service named mraml.exe. The service identify appears to be depending on the motive force file.
The sys file that we recovered has faux file model data. It pretends to be a CrowdStrike Falcon Sensor Driver, however the file is signed by Changsha Hengxiang Data Expertise Co., Ltd. The signer is abused, as proven in Figures 6 and seven.
Determine 6: The small print of the digital signature reveals that it’s identified to be abused (and revoked)
Determine 7: The certificates is revoked and has not been legitimate since 2016
The drivers signed by this certificates had been referred to as out on X earlier this yr and tagged as ransomware-related, as proven in Determine 8.
Determine 8: The @threatintel tweet figuring out the drivers as unhealthy
The newest variant of the killer makes use of a distinct signature on the motive force file, this time from Fuzhou Dingxin Commerce Co., Ltd. This certificates can be expired, as proven in Determine 9.
Determine 9: Signing data on the Fuzhou Dingxin Commerce certificates, invalid since 2012
Information utilizing the identical signature, nearly all of them from China or Hong Kong, had been all malicious and submitted to VirusTotal between December 2024 and March 2025.
Ransomware connection
The HeartCrypt-packed EDR killer instruments had been noticed for use in ransomware assaults. The truth is, a number of ransomware households had been sighted along with the killer.
Typical use case
In a typical assault situation, we noticed the tried execution of the HeartCrypt-packed dropper. It might drop a closely protected EDR killer executable, which in flip load a driver signed by a compromised signature.
The execution try is often blocked with one of many Mal/HCrypt- , Troj/HCrypt- , or Mal/Isher-Gen generic static detections. In different circumstances, our dynamic safety mitigations, equivalent to SysCall, DynamicShellcode, or HollowProcess, block the execution.
Malware identify: Mal/HCrypt-A
Title: c:customers{}desktopvp4n.exe
"sha256" : "c793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d",
Moreover, we noticed that the EDR killer executable tried to load the coupled driver:
Malware identify: Mal/Isher-Gen
Title: c:customers{}desktopzsogd.sys
Shortly after the EDR killer try, we noticed the next ransomware alert:
Mitigation CryptoGuard V5 Coverage CryptoGuard Timestamp 2025-01-20T11:59:18 Path: C:FoPefI.ex Hash: e1ed281c521ad72484c7e5e74e50572b48ea945543c6bcbd480f698c2812cdfe Ransom be aware: README_0416f0.txt Appended file extension: .0416f0
The method hint:
1 C:FoPefI.exe [64500]
C:FoPefI.exe -only-local -pass b65{redacted}a64
2 C:WindowsSystem32services.exe [1004] *
3 C:WindowsSystem32wininit.exe [900] *
wininit.exe
The ransomware on this case was RansomHub.
Now we have noticed the identical sequence of occasions (EDR Killer -> ransomware) with the next ransomware households:
- Blacksuit
- RansomHug
- Medusa
- Qilin
- Dragonforce
- Crytox
- Lynx
- INC
…which is a formidable checklist of competing menace actor teams.
MedusaLocker
This was a very attention-grabbing case price particular point out, as a result of we expect the menace actor used a zero-day RCE in SimpleHelp to realize preliminary entry.
Right here we see a DynamicShellcode alert:
Mitigation DynamicShellcode Coverage HeapHeapHooray Timestamp 2025-01-22T09:53:42 Title: Setup/Uninstall Path: c:temp6Vwq.exe SHA-256 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98 SHA-1 d58dade6ea03af145d29d896f56b2063e2b078a4 MD5 b59d7c331e96be96bcfa2633b5f32f2c
The method hint revealed that the malicious killer was executed from the JWrapper-Distant Entry element of SimpleHelp:
1 C:temp6Vwq.exe [13296] 2 C:WindowsSystem32cmd.exe [16536] * cmd.exe /c begin c:temp6Vwq.exe 3 C:ProgramDataJWrapper-Distant AccessJWrapper-Windows64JRE-00000000000-completebinRemote Entry.exe [7864] * "C:ProgramDataJWrapper-Distant AccessJWrapper-Windows64JRE-00000000000-completebinRemote Entry.exe" "-cp" "C:ProgramDataJWrapper-Distant AccessJWrapper-Distant Entry-00056451424-completecustomer.jar;C:ProgramDataJWrapper-Distant AccessJWrapper-Re
The method hint signifies that the preliminary an infection may very well be associated to the zero-day RCE exploits mentioned by Horizon3.al in January 2025.
The SHA256 hash within the DynamicShellcode alert proven above, 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98, was later discovered on VT. It’s full of HeartCrypt. The extracted payload has the hash: a44aa98dd837010265e4af1782b57989de07949f0c704a6325f75af956cc85de.
We noticed the identical AV Killer once more. It particularly targets merchandise from six corporations: Eset, Symantec, Sophos, HitManPro, Webroot, and Kaspersky. This was adopted by way of a file beforehand recognized as Medusa ransomware:
2025-01-22 10:04:12 Mal/Medusa-C/Home windows/Temp/MilanoSoftware.exe "hash": "3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da",
INC
A June 2025 case was of particular curiosity, as a result of the EDR killer was seen utilizing an extra layer of packing. This extra layer seems like an up to date model of the packer we described in our Impersonators paper finally yr’s Virus Bulletin convention. On this case, the menace actor used two completely different packers as a service providing for layered safety.
CryptoGuard flagged the ransomware:
Mitigation CryptoGuard V5 Coverage CryptoGuard Timestamp 2025-06-04T04:13:52 Ransom be aware: README.txt
It was recognized as INC ransomware:
Malware identify: Troj/Inc-Gen Beacon time: 2025-06-04T04:32:33.000Z Title: c:programdata1.exe "sha256" : "e5e418da909f73050b0b38676f93ca8f0551981894e2120fb50e8f03f4e2df4f",
Earlier than that time, we noticed execution makes an attempt by the EDR killer:
Mitigation HollowProcess Coverage HollowProcessGuard Timestamp 2025-06-03T21:11:12 Title: AVG Dump Course of 25.5.10141.0 Path: C:ProgramDataCSd2.exe Hash: ce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151 bd6f829ffbae2ecf2148cdb03ceeca906d151
Right here, the killer masses the motive force:
"path" : "c:programdatanoedt.sys", "sha256" : "6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be",
The file (ce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151) had the payload saved as a useful resource, with XOR encryption.
The extracted payload was a file with SHA256 worth 61557a55ad40b8c40f363c4760033ef3f4178bf92ce0db657003e718dffd25bd that had embedded executables, one in all them being 597d4011deb4f08540e10d1419b5cbdfb38506ed53a5c0ccfb12f96c74f4a7a1, which turned out to be a HeartCrypt-packed EDR killer utilized in earlier INC ransomware incidents.
It masses the motive force noedt.sys (SHA256: 6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be), which was additionally seen in an earlier INC incident.
Maybe essentially the most regarding facet of this investigation is the proof suggesting device sharing and technical data switch between competing ransomware teams (Ransomhub, Qilin, DragonForce, and INC, to call just some). Despite the fact that these teams are opponents and have completely different enterprise and affiliate fashions, there seems to be data/device leakage between them.
To be clear, it’s not {that a} single binary of the EDR killer leaked out and was shared between menace actors. As a substitute, every assault used a distinct construct of the proprietary device. As well as, all variants had been then full of the subscription-based HeartCrypt packer-as-a-service. This will due to this fact be at the least considerably coordinated. It might be that details about the provision and feasibility of utilizing HeartCrypt for this function was communicated in channels constructed for this sort of sharing — although maybe all these ransomware teams coincidentally selected to buy the exact same off-the-shelf EDR-killer.
Details about comparable sharing/leakage was not too long ago printed by Eset researchers, and our personal findings as detailed right here assist the identical conclusion. This means that the ransomware ecosystem is extra sophisticated than a group of competing and preventing ransomware teams – yet one more headache for defenders.
IOCs associated to this text can be found in our GitHub repository.
