EDRKillShifter

Posted on By Treadstone 71

Security Alert
Subject: Detection of New Malware EDRKillShifter
Severity Level: High

Threat Details:
Recently, Sophos has published a new list of SHA-256 hashes related to the #بدافزار family EDR Killer.
This malware, known as EDRKillShifter, is designed to quickly disable security products including antivirus and EDR systems.

Key Capabilities of this Malware:
– Disabling organizational defense tools (AV/EDR) in the shortest time.
– Simplifying the execution of secondary payloads by the attacker.
– Enabling privilege escalation and further exploitation of the victim’s system.
– Facilitating lateral movement within organizational networks.
Initial analysis shows that a significant portion of these hashes have been identified by Cisco Talos, but many are not yet detected by VirusTotal, indicating the novelty and complexity of this threat.

Mitigation Measures:
– Adding IoCs (especially hashes) to the blacklist in the organization’s antivirus or EDR.
– Defining Correlation Searches in SIEM (such as Splunk, ELK, and QRadar) to quickly identify malicious hashes in logs.
– Continuously updating IoCs due to attackers frequently changing hashes.
– Using next-generation firewalls (NGFW) and applying strict restrictions on inbound and outbound traffic.

Critical Notes for Blue Team:
– Any observation of the attached IoCs should be considered a critical security incident.
– Logs related to process execution and module loading on Windows systems should be carefully reviewed.
– Incident Response (IR) teams should be prepared to detect attacker lateral activities if this malware is observed.

IoC Attachment:
The published IoCs are attached as a TXT file with the report. The indicators include SHA-256 hashes related to EDRKillShifter and kernel drivers used in campaigns such as Medusalocker, RansomHub, Qilin, and others.

Final Recommendation
Given the widespread use of this malware in recent attack chains (including Qilin, Lynx, Crytox, and Medusalocker), it is essential for organizational security teams, especially SOC teams, to implement preventive measures as soon as possible.

#آسیب_پذیری #تهدید

Indicator_Type Data Note
sha256 f51397bb18e166c933fe090320ec23397fed73b68157ce86406db9f07847d355 EDR killer
sha256 27502080db7fc2815afb6e19c5cbb3206cd80863d19f97644519fa1c1c343a7b EDR killer used in Qilin incident
sha256 a3938d9639148406d218835f1e1f0afcfbd566de3849b61a51fdcc54d100abba EDR killer
sha256 3fbe5a1ed857a6736e061a6850706f9e8a7e881f024bff044df1c34795b89bf4 kernel driver used in BlackSuit incident
sha256 10c1b292e67b22b5d91071185e33597a242c8dea6a7a523befab5922e3002285 EDR killer used in Crytox incident
sha256 6d5f086f742883c0905a0c9593d332762c9b73016b87d933161cbdb97b3cf1ca kernel driver
sha256 c56feeb27a58d24e9f53319513c838e22e92124aa1ef24d977c7ab12b7c5c9c3 EDR killer
sha256 efb642ad3fab4a2e6cb4de829b60e04dd0d9ae7c2b4cf544de28c38f978b4136 kernel driver
sha256 4aa0456c7f0ad4d85324ab135d55641b15245b58e681efcaba319e605c5bed07 EDR killer
sha256 bbab99faba116f5dd2ad138f036787e56141e1b4c6368d8852743fe7c78948ce kernel driver
sha256 422800c5553ec5444f7ec593805e0cf4622921d6d5cb3da3a511007047a24721 EDR killer
sha256 bdaea3d46444373d7107d62270c0358b82569fbf5d66e6dd7c90faf53308f477 EDR killer
sha256 5ec67fc827c2335c31303238b439822addf52552c9895478cb27840e252b6029 EDR killer used in DragonForce incident
sha256 927e3aef03a8355d236230cace376b3023480a40c5ac08453c07dab343dd1f11 kernel driver
sha256 597d4011deb4f08540e10d1419b5cbdfb38506ed53a5c0ccfb12f96c74f4a7a1 EDR killer used in Lynx incident
sha256 ce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151 EDR killer used in INC incident
sha256 6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be kernel driver
sha256 875f4fd64c50e293859e04396e6342fd93695c3f21606596cf982a9205e92fd9 EDR killer
sha256 af7d822da46d777b512a90ee982a7661d8a6c78f9bd1f3d34ce38ef2b44117e6 EDR killer
sha256 22e2f183175ec02d1bb8bf32f1731d77fa855f24b588dffb398ac741f91e1698 kernel driver
sha256 2073d94af0aa560c11e3399d2b83a720ee373a46ccf835486e57c37e3d1d9a25 EDR killer
sha256 a2d071da4bfc6bd9cd576a922d1677160f03c9bf7bd65e8f96c78cbb1068d41c kernel driver
sha256 f60c3942b4247f5da17dbfd7cc92250f0107f8d259a8644a2988c5699751ea2f EDR killer
sha256 2912be03b75dab3131f41d658e149b64c089839052472e36f5f13f193bf16253 kernel driver
sha256 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98 EDR killer used in Medusalocker incident
sha256 c793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d EDR killer used in RansomHub incident
sha256 aa99b6c308d07acac8c7066c29d44442054815e62ea9a3f21cc22cdec0080bc8 kernel driver
sha256 1c1c7a3305e87bf58eb116a09167c1135f3ba23aaca5c0bfcd1b545510ac271c EDR killer
sha256 56add2f70df9a1cb46b675e928a15d3769e2060059f4bb286fa217a2ec930ca5 kernel driver
sha256 05f8f514d1367aca856564af5443a75f47d22a30ce63f0b024a41e6b9553a527 kernel driver
sha256 48e6e071b70566bc9fabbbff995946076b410f5459356b65051ae10e04fe512f EDR killer
sha256 77e089dfeb1d114d4171e461e0c4f36b895ed8ef5ee23e8b243bdf491837b5b6 EDR killer
sha256 45f9d530edb5c71c24d7787ba0f12743d0ecf042ba9e96922364bbacbb32927c EDR killer
sha256 5baf5445c4b22c645ff6d509a744e0b6c96fe5c5ea84ed471421af890cfd8533 EDR killer
sha256 5c8f53bd9eb13ac07ca5190ed0946c9feb5c73627bf5c0c9e79b28626310ad90 EDR killer
sha256 f11930cb70556941b6e3c8530956f1381a4cdbd1e3fe8e9f363487a73b45a9c0 EDR killer
sha256 4686bf07db10376fb4c8ce3b729c4ab60d89b454fc57feb39f9607cb43a081d9 EDR killer
sha256 49ed990459486e569cd1428b045baff1e61b86cdeef84a75384b5f7f46bd678e EDR killer
sha256 e6309fdb03313dd1b62467684a49692de5c27bbc3c17e65e2010cfbf686a4bf3 EDR killer
sha256 f1c37f93d000134b4bfe439add26f3c146958dd87b230123d58790fedce6336a EDR killer
sha256 ddf23db6881e42e65440c26a208c9175ad705c708f0a5d8426a2636bad79777c EDR killer
sha256 0b4295bcd7bf850fea2b1bc09f652da028af33d625b11781ac875c603a52e5a8 EDR killer
sha256 df6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851 EDR killer
sha256 b8c1f3d24f0282c84ed599147462d4031df43cd4fceef38afcee4b3fc8f16e7b EDR killer
sha256 0eaa413dc13bc846258e5b4670142bea20e567065b7f4bbc135fe62d93878160 EDR killer
sha256 147dee11a406a86dd9b42982c091e8acbaca13614edb75f447cbaffb23017a90 EDR killer
sha256 5e423483165666976997e17b9834b9f6bd0da6c4b0da23f45584203f7c08fe4c EDR killer
sha256 7e19a1ca2144051c9cd66440b4fe54fbb01aee6a86fd196f5d0b67f04d19a18a EDR killer
sha256 15cd13e0cad20394ec1405748e4bd50e3f27313c6274aee098c4eb0ede970b4c EDR killer
sha256 d2939cd18c9072488767520be081fef71d560896c6293b6633cab099fcd238ae EDR killer
sha256 aae2e7f4feb75a61c98a727a9da9c3eba213e9e43aa7c9e81e2b3c2f6439b908 EDR killer

ALL Tags:

Related Posts

Copyright 2024

Discover more from The Cyber Shafarat -

Subscribe now to keep reading and get access to the full archive.

Continue reading