#edrkillshifter — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #edrkillshifter, aggregated by home.social.

The Threat Codex @[email protected] · 2025-04-10 · 15:31 UTC

Shifting the sands of RansomHub’s EDRKillShifter
#EDRKillShifter #MedusaRansomware #PLAY #BianLian #RansomHub
https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/

#edrkillshifter #medusaransomware #play #bianlian #ransomhub
Sophos X-Ops @[email protected] · 2024-08-15 · 22:10 UTC

The two drivers we've seen abused are known in the industry as #BYOVD payloads. One is a file called RentDrv2 (hosted on https://github.com/keowu/BadRentdrv2) and the other is named ThreatFireMonitor (also on Github, with a proof of concept at https://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer).
No matter which driver gets used, #EDRKillShifter writes them out to the %temp% directory using a random 10-digit filename. 5/

#byovd #edrkillshifter
Sophos X-Ops @[email protected] · 2024-08-15 · 22:09 UTC

As it executes, #EDRKillShifter loads an embedded, encrypted resource into memory. That code extracts the next layer of tool, the abusable #BYOVD driver and a #Go binary.
It uses a SHA-256 hash of the initial password (used to execute the tool) as a decryption key for these second-layer payloads. 4/

#edrkillshifter #byovd #go
Sophos X-Ops @[email protected] · 2024-08-15 · 22:07 UTC

The #EDRKillShifter utility is a #malware loader designed to deploy one of several different exploitable, legitimate #BYOVD drivers and abuse them to kill a wide range of endpoint protection. We've observed it used in a few recent incidents, so we wanted to spotlight how it works. 2/

#edrkillshifter #malware #byovd