EDR killer within the kill chain – Sophos Information

In at the moment’s multi-stage assaults, neutralizing endpoint safety options is a essential step within the course of, permitting menace actors to function undetected. Since 2022, we’ve seen a rise within the sophistication of malware designed to disable EDR techniques on an contaminated system.

Some of those instruments are developed by ransomware teams. Others are bought from underground marketplaces – proof of this was discovered within the leaked chat logs of the Black Basta group. In many instances, packer-as-a-service choices similar to HeartCrypt are used to obfuscate the instruments.

EDRKillShifter was created by the RansomHub group and later made out of date by a brand new software, which will likely be detailed on this publish. In addition, we’ll take a look at the proof for software sharing and technical data switch amongst ransomware teams utilizing completely different builds of the described software.

AVKiller

We will focus first on one particular payload, an AV killer software, discovered among the many hundreds of payloads within the HeartCrypt packed samples. In a number of instances, the detection of this software occurred throughout an ongoing ransomware assault. Other defenders have seen evidence of this software, notably Cylerian, as proven in Figure 1. There is feasible proof of an early model detailed in a Palo Alto Networks publish from January 2024.

Figure 1: Cylerian notes exercise attributable to the software in query

In one explicit instance we noticed the EDR killer file uA8s.exe (SHA-1: 2bc75023f6a4c50b21eb54d1394a7b8417608728) was created by inserting malicious content material into the Clipboard Compare software in Beyond Compare, a official utility from Scooter Software. (We alerted Scooter Software to the abuse previous to publication of this publish, and so they confirmed to us that their installer, executables, and DLL are all code-signed.) The loader code was injected close to the entry level, and the malicious payload and extra loader elements had been inserted as sources. Upon execution, the payload decodes itself – it’s, the truth is, a closely protected executable. The substantial safety on the executable is amongst 5 important traits we famous about it:

• The code is closely protected.
• It seems to be for a driver with a five-letter random title.
• The driver is signed with a compromised certificates.
• It targets a number of safety distributors.
• The listing of targets varies amongst samples.

The reminiscence dump reveals the executable to be an AV killer, which on this particular case targets Sophos merchandise.

Figure 2: An excerpt from the reminiscence dump, displaying Sophos merchandise being focused

There are many various variations of this software. The precise listing of focused safety merchandise varies extensively between them — typically just one or two are particularly focused, different instances a bigger listing:

Figure 3: An extra excerpt from the reminiscence dump, displaying different merchandise the software targets

It additionally makes an attempt to kill processes similar to MsMpEng.exe, SophosWell being.exe, SAVService.exe, and sophosui.exe:

Figure 4: A listing of processes focused by the software

We famous an extended listing of safety merchandise focused by one or one other model of the killer:

• Bitdefender
• Cylance
• Fset
• F-Secure
• Fortinet
• HitManPro
• Kaspersky
• McAfee
• Microsoft
• SentinelOne
• Sophos
• Symantec
• Trend Micro
• Webroot

The file searches for a driver file mraml.sys (the one we noticed had a hash of SHA-1: 21a9ca6028992828c9c360d752cb033603a2fd93). When it finds it, it hundreds the driving force and terminates the processes and providers from the goal listing. The title of the SYS file is hardcoded into the executable. It is outwardly random and completely different in every pattern.

Figure 5: Functions within the software

If the sys file isn’t current, the executable file doesn’t proceed and throws the error “Failed to get device”, however creates a service named mraml.exe. The service title appears to be depending on the driving force file.

The sys file that we recovered has pretend file model data. It pretends to be a CrowdStrike Falcon Sensor Driver, however the file is signed by Changsha Hengxiang Information Technology Co., Ltd. The signer is abused, as proven in Figures 6 and seven.

Figure 6: The particulars of the digital signature exhibits that it’s identified to be abused (and revoked)

Figure 7: The certificates is revoked and has not been legitimate since 2016

The drivers signed by this certificates had been called out on X  earlier this yr and tagged as ransomware-related, as proven in Figure 8.

Figure 8: The @threatintel tweet figuring out the drivers as unhealthy

The newest variant of the killer makes use of a unique signature on the driving force file, this time from Fuzhou Dingxin Trade Co., Ltd. This certificates can also be expired, as proven in Figure 9.

Figure 9: Signing data on the Fuzhou Dingxin Trade certificates, invalid since 2012

Files utilizing the identical signature, nearly all of them from China or Hong Kong, had been all malicious and submitted to VirusTotal between December 2024 and March 2025.

Ransomware connection

The HeartCrypt-packed EDR killer instruments had been noticed for use in ransomware assaults. In truth, a number of ransomware households had been sighted along with the killer.

Typical use case

In a typical assault state of affairs, we noticed the tried execution of the HeartCrypt-packed dropper. It would drop a closely protected EDR killer executable, which in flip load a driver signed by a compromised signature.

The execution try is normally blocked with one of many Mal/HCrypt- , Troj/HCrypt- , or Mal/Isher-Gen generic static detections. In different instances, our dynamic safety mitigations, similar to SysCall, DynamicShellcode, or HoleProcess, block the execution.

Malware title:    Mal/HCrypt-A
Name:     c:customers{}desktopvp4n.exe
         "sha256" : "c793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d",

Additionally, we noticed that the EDR killer executable tried to load the coupled driver:

Malware title:    Mal/Isher-Gen
Name:     c:customers{}desktopzsogd.sys

Shortly after the EDR killer try, we noticed the next ransomware alert:

Mitigation   CryptoGuard V5
Policy       CryptoGuard
Timestamp    2025-01-20T11:59:18
Path:           C:FoPefI.ex
Hash:           e1ed281c521ad72484c7e5e74e50572b48ea945543c6bcbd480f698c2812cdfe
Ransom be aware:
README_0416f0.txt
Appended file extension:
.0416f0

The course of hint:

1  C:FoPefI.exe [64500]
   C:FoPefI.exe -only-local -pass b65{redacted}a64
2  C:WindowsSystem32services.exe [1004] *
3  C:WindowsSystem32wininit.exe [900] *
   wininit.exe

The ransomware on this case was RansomHub.

We have noticed the identical sequence of occasions (EDR Killer -> ransomware) with the next ransomware households:

• Blacksuit
• RansomHug
• Medusa
• Qilin
• Dragonforce
• Crytox
• Lynx
• INC

…which is a formidable listing of competing menace actor teams.

MedusaLocker

This was a very attention-grabbing case price particular point out, as a result of we predict the menace actor used a zero-day RCE in SimpleHelp to realize preliminary entry.

Here we see a DynamicShellcode alert:

Mitigation   DynamicShellcode
Policy       HeapHeapHooray
Timestamp    2025-01-22T09:53:42
Name:           Setup/Uninstall
Path:           c:temp6Vwq.exe
SHA-256      43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98
SHA-1        d58dade6ea03af145d29d896f56b2063e2b078a4
MD5          b59d7c331e96be96bcfa2633b5f32f2c

The course of hint revealed that the malicious killer was executed from the JWrapper-Remote Access part of SimpleHelp:

1  C:temp6Vwq.exe [13296]
2  C:WindowsSystem32cmd.exe [16536] *
   cmd.exe /c begin c:temp6Vwq.exe
3  C:ProgramDataJWrapper-Remote AccessJWrapper-Windows64JRE-00000000000-completebinRemote Access.exe [7864] *
   "C:ProgramDataJWrapper-Remote AccessJWrapper-Windows64JRE-00000000000-completebinRemote Access.exe" "-cp" "C:ProgramDataJWrapper-Remote AccessJWrapper-Remote Access-00056451424-completecustomer.jar;C:ProgramDataJWrapper-Remote AccessJWrapper-Re

The course of hint signifies that the preliminary an infection could possibly be associated to the zero-day RCE exploits discussed by Horizon3.al in January 2025.

The SHA256 hash within the DynamicShellcode alert proven above, 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98, was later discovered on VT. It is filled with HeartCrypt. The extracted payload has the hash: a44aa98dd837010265e4af1782b57989de07949f0c704a6325f75af956cc85de.

We noticed the identical AV Killer once more. It particularly targets merchandise from six corporations: Eset, Symantec, Sophos, HitManPro, Webroot, and Kaspersky. This was adopted by means of a file beforehand recognized as Medusa ransomware:

2025-01-22 10:04:12    Mal/Medusa-C /Windows/Temp/MilanoSoftware.exe
  "hash": "3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da",

INC

A June 2025 case was of particular curiosity, as a result of the EDR killer was seen utilizing an extra layer of packing. This extra layer seems to be like an up to date model of the packer we described in our Impersonators paper finally yr’s Virus Bulletin convention. In this case, the menace actor used two completely different packers as a service providing for layered safety.

CryptoGuard flagged the ransomware:

Mitigation   CryptoGuard V5
Policy       CryptoGuard
Timestamp    2025-06-04T04:13:52
Ransom be aware:
README.txt

It was recognized as INC ransomware:

Malware title:    Troj/Inc-Gen
Beacon time:    2025-06-04T04:32:33.000Z
Name:     c:programdata1.exe
         "sha256" : "e5e418da909f73050b0b38676f93ca8f0551981894e2120fb50e8f03f4e2df4f",

Before that time, we noticed execution makes an attempt by the EDR killer:

Mitigation   HoleProcess
Policy       HoleProcessGuard
Timestamp    2025-06-03T21:11:12
Name:           AVG Dump Process 25.5.10141.0
Path:           C:ProgramDataCSd2.exe
Hash:           ce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151
bd6f829ffbae2ecf2148cdb03ceeca906d151

Here, the killer hundreds the driving force:

"path" : "c:programdatanoedt.sys",
         "sha256" : "6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be",

The file (ce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151) had the payload saved as a useful resource, with XOR encryption.

The extracted payload was a file with SHA256 worth 61557a55ad40b8c40f363c4760033ef3f4178bf92ce0db657003e718dffd25bd that had embedded executables, one in all them being 597d4011deb4f08540e10d1419b5cbdfb38506ed53a5c0ccfb12f96c74f4a7a1, which turned out to be a HeartCrypt-packed EDR killer utilized in earlier INC ransomware incidents.

It hundreds the driving force noedt.sys (SHA256: 6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be), which was additionally seen in an earlier INC incident.

Perhaps essentially the most regarding side of this investigation is the proof suggesting software sharing and technical data switch between competing ransomware teams (Ransomhub, Qilin, DragonForce, and INC, to call only a few). Even although these teams are rivals and have completely different enterprise and affiliate fashions, there seems to be data/software leakage between them.

To be clear, it’s not {that a} single binary of the EDR killer leaked out and was shared between menace actors. Instead, every assault used a unique construct of the proprietary software. In addition, all variants had been then filled with the subscription-based HeartCrypt packer-as-a-service. This could subsequently be no less than considerably coordinated. It could also be that details about the supply and feasibility of utilizing HeartCrypt for this objective was communicated in channels constructed for this type of sharing — although maybe all these ransomware teams coincidentally selected to buy the exact same off-the-shelf EDR-killer.

Information about related sharing/leakage was just lately published by Eset researchers, and our personal findings as detailed right here help the identical conclusion. This means that the ransomware ecosystem is extra difficult than a set of competing and combating ransomware teams – yet one more headache for defenders.

IOCs associated to this text can be found in our GitHub repository.