CP
cyberpings
Malware & RansomwareHIGH

Malware - EDR Killers Exploit Vulnerable Drivers via BYOVD

THThe Hacker News
EDR killersBYOVDransomwarevulnerable driversendpoint security
🎯

Basically, hackers use old drivers to trick security systems and deploy malware.

Quick Summary

A new analysis reveals that 54 EDR killers exploit 34 vulnerable drivers using the BYOVD technique. This poses serious risks for organizations, especially during ransomware attacks. Understanding this threat is crucial for enhancing cybersecurity measures.

What Happened

A new analysis has uncovered that 54 EDR killers exploit a technique known as bring your own vulnerable driver (BYOVD). This method leverages 34 signed vulnerable drivers to disable endpoint security measures. EDR killers are commonly used in ransomware attacks, allowing attackers to neutralize security software before deploying their malicious payloads. This tactic is particularly effective as it helps evade detection during the attack process.

According to ESET researcher Jakub Souček, ransomware groups often face challenges in keeping their malware undetected. The EDR killers serve as specialized tools that disable security controls, making it easier for ransomware to operate undetected. This trend highlights the evolving landscape of cyber threats and the need for robust security measures.

Who's Being Targeted

The primary targets of these EDR killers are organizations that rely on endpoint detection and response (EDR) solutions for security. By exploiting vulnerable drivers, attackers can gain elevated privileges and execute their malicious activities without raising alarms. This tactic is particularly dangerous for businesses that may not have layered defenses in place.

The threat actors behind these attacks vary, including closed ransomware groups, cybercriminals modifying existing code, and those marketing EDR killers on underground platforms. This diversity in attackers increases the complexity of the threat landscape, making it critical for organizations to stay vigilant.

Signs of Infection

Organizations should be aware of several signs that may indicate an EDR killer is present. These include unusual system behavior, unexpected security tool failures, and unauthorized access attempts. Additionally, if a system experiences a sudden slowdown or instability, it may be a sign that an EDR killer is attempting to disable security processes.

To mitigate these risks, organizations must implement proactive monitoring and detection strategies. Keeping an eye on system logs and employing advanced threat detection solutions can help identify potential EDR killer activities before they escalate into full-blown attacks.

How to Protect Yourself

To defend against EDR killers and ransomware attacks, organizations should consider blocking commonly exploited drivers from loading. This proactive measure can help prevent attackers from gaining the necessary access to disable security tools. However, it's important to recognize that EDR killers often operate at the final stages of an attack, meaning that a single failure can lead to the deployment of alternative tools.

A layered defense strategy is essential for organizations. This includes continuous monitoring, flagging suspicious activities, and having a robust incident response plan in place. By being prepared and vigilant, organizations can significantly reduce their risk of falling victim to these sophisticated attacks.

🔒 Pro insight: The reliance on BYOVD tactics highlights the need for organizations to audit driver integrity regularly and implement strict controls on driver installations.

Original article from

The Hacker News

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Ransomware - Interlock Exploits Cisco Zero-Day Vulnerability

A serious Cisco firewall vulnerability was exploited by the Interlock ransomware group weeks before a patch was released. This poses a major risk to many organizations. Security teams need to act fast to protect their systems from potential compromise.

CSO Online·
HIGHMalware & Ransomware

Android Malware - New Threat Hides in Streaming Apps

A new Android malware named Perseus is hiding in streaming apps to steal passwords and spy on personal notes. Users in Turkey and Italy are primarily affected. This poses a significant risk to personal data security. Stay vigilant and protect your devices.

The Record·
HIGHMalware & Ransomware

Ransomware - Affiliate Exposes 'The Gentlemen' Operation Details

A ransomware affiliate leaked vital details about 'The Gentlemen' operation, revealing their tactics and internal conflicts. This poses significant risks for targeted organizations. Cybersecurity experts urge immediate action to mitigate potential threats.

Infosecurity Magazine·
HIGHMalware & Ransomware

DarkSword - New iOS Exploit Tool Targets Global Users

DarkSword is a new iOS exploit kit used in attacks across multiple countries. Targeting sensitive data, it poses significant risks to users. Stay informed and protect your devices against this emerging threat.

Security Affairs·
HIGHMalware & Ransomware

Mobile Banking Malware - Global Surge Targets Financial Apps

A global surge in mobile banking malware is impacting over 1200 financial apps. This shift poses serious risks as fraud migrates to user devices. Financial institutions must enhance app security to combat these threats.

Infosecurity Magazine·
HIGHMalware & Ransomware

Malware - Insights from 2025 Malicious Infrastructure Report

Insikt Group's 2025 report reveals significant malware trends, including the rise of infostealers and evolving tactics. Organizations must adapt their defenses to stay ahead of these threats. Key insights can guide security strategies for the upcoming year.

Recorded Future Blog·