Full Report
A look under the hood at a tool designed to disable protections
Analysis Summary
# Tool/Technique: AVKiller (Unnamed heavily protected executable)
## Overview
This is an AV/EDR killer tool observed being used in the initial stages of ransomware attacks, often obtained through packer-as-a-service offerings like HeartCrypt. Its primary purpose is to disable endpoint security solutions to allow threat actors to operate undetected. Evidence suggests tool sharing and knowledge transfer between ransomware groups, potentially succeeding a tool like EDRKillShifter used by the RansomHub group.
## Technical Details
- Type: Malware/Tool (AV Killer Payload)
- Platform: Windows (Implied by process names like *MsMpEng.exe*)
- Capabilities: Disables multiple security products by injecting malicious code into legitimate applications (e.g., Beyond Compare's Clipboard Compare) and utilizing a signed driver to facilitate termination of security processes.
- First Seen: Evidence of early versions noted in January 2024; the specific observed build targeted Sophos products.
## MITRE ATT&CK Mapping
The primary focus is disabling defenses.
- **TA0005 - Defense Evasion**
- T1212 - Modify System Image (Implied by using legitimate binaries with injected code)
- **TA0011 - Command and Control** (If the tool communicates, though not explicitly detailed)
- **TA0003 - Persistence** (If the driver establishes a persistent path)
*Note: Specific processes termination maps closely to Defense Evasion techniques.*
## Functionality
### Core Capabilities
- **Self-Defense/Obfuscation:** Heavily protected and obfuscated executable, decoded upon execution.
- **Security Product Targeting:** Explicitly targets and attempts to kill processes associated with numerous major security vendors (Bitdefender, ESET, Kaspersky, Microsoft, SentinelOne, Sophos, Trend Micro, etc.).
- **Specific Process Termination:** Attempts to terminate processes such as `MsMpEng.exe`, `SophosHealth.exe`, `SAVService.exe`, and `sophosui.exe`.
### Advanced Features
- **Code Injection via Legitimate Binary:** Malicious code is inserted into the legitimate utility "Clipboard Compare" tool from Beyond Compare. Loader code is injected near the entry point, and the payload/loader components are inserted as resources.
- **Driver Reliance:** Leverages a signed driver (example: `mraml.sys` - SHA-1: `21a9ca6028992828c9c360d752cb03`) to perform its actions. The driver has a five-letter random name.
- **Compromised Certificates:** The utilized driver is signed with a compromised certificate.
- **Variable Targeting:** Different samples of the tool target varying lists of security products.
## Indicators of Compromise
- **File Hashes:**
- SHA-1 (uA8s.exe example): `2bc75023f6a4c50b21eb54d1394a7b8417608728`
- SHA-1 (Driver example): `21a9ca6028992828c9c360d752cb03`
- **File Names:**
- `uA8s.exe` (Observed specific instance)
- Driver file name: Five-letter random name (e.g., `mraml.sys` observed)
- **Registry Keys:** [Not explicitly mentioned in the provided text]
- **Network Indicators:** [Not explicitly mentioned in the provided text, focus is on local disabling]
- **Behavioral Indicators:**
- Injection of malicious code into a legitimate application's memory space (e.g., Beyond Compare component).
- Loading a driver with a five-letter random name and a compromised certificate.
- Attempted termination of known AV/EDR processes.
## Associated Threat Actors
- Ransomware groups (general reference).
- Black Basta group (evidence of purchasing tools from underground marketplaces cited through leaked chat logs).
- RansomHub group (creation of the predecessor, EDRKillShifter).
## Detection Methods
- **Signature-based detection:** Applicable once hashes or known static signatures of the heavily protected payloads or the associated driver are identified.
- **Behavioral detection:** Monitoring for legitimate utilities (like Beyond Compare components) executing code from unexpected memory regions or attempting to load specifically identifiable malicious drivers. Detection of process termination attempts against security software is key.
- **YARA rules:** Applicable for detecting specific obfuscated code patterns or resource embedding techniques.
## Mitigation Strategies
- **Prevention measures:** Strict application whitelisting/control, especially for tools like Beyond Compare. Do not execute unknown utilities.
- **Hardening recommendations:** Implement robust driver signature enforcement/verification. Monitor for the loading of unknown drivers, particularly those using compromised certificates. Utilize advanced EDR capabilities (if not disabled) to detect in-memory code injection and process tampering attempts against security services.
## Related Tools/Techniques
- HeartCrypt (Packer-as-a-service used to obfuscate this tool).
- EDRKillShifter (Predecessor tool created by RansomHub).