Hackers Exploit New AV/EDR Bypass Tool to Breach Endpoints

The disabler.exe tool, derived from EDRSandBlast source code, targets EDR hooks in user-mode libraries and kernel-mode callbacks and employs a vulnerable driver, wnbios.sys or WN_64.sys, to gain system access. 

By analyzing the tool’s code and its association with specific files and folders on compromised endpoints, researchers have traced its origin to cybercrime forums like XSS and Exploit, pointing to a potential seller in the underground market.

User KernelMode suggests an AV/EDR bypass tool.

The investigation revealed that the rogue system, DESKTOP-J8AOTJS, was likely used by an affiliate named Marti71 to access and utilize an AV/EDR bypass tool, which was offered for sale by a user named KernelMode on a Russian-language cybercrime forum and was confirmed to be effective against multiple security solutions. 

The evidence, including forum posts, tool demonstrations, and file comparisons, strongly suggests a connection between Marti71, KernelMode, and the malicious tool.

An analysis of files retrieved from compromised system DESKTOP-J8AOTJS revealed evidence of attacker activity. Encrypted archive “ContiTraining.rar” contained a torrent for a publicly leaked Conti ransomware playbook. 

 Text file with payment information.

Downloaded files included penetration testing tools, malware like Cobalt Strike and Mimikatz, and AV/EDR bypass utilities with video demonstrations. 

A folder contained stolen personal data and a text file with potential escrow payment details. Another text file listed compromised host IPs and credentials, while a financial spreadsheet suggests the attacker may be from Kazakhstan.  

The threat actor used a virtual machine (DESKTOP-J8AOTJS) to test AV/EDR bypass tools, which were likely sourced from cybercrime forums, and used unconventional methods like a fake Telegram token to install the AV/EDR agent. 

The actor’s browser history revealed searches for tools like Process Hacker and Double Commander on Yandex and SourceForge. The actor also used WinBox to remotely manage a Mikrotik router. 

Snippet of Windows taskbar from one of the demonstration videos.

It was revealed that the attackers leveraged Atera agent for initial access, utilized Cobalt Strike for persistence and lateral movement, and employed PsExec for further lateral movement. Data exfiltration was facilitated by the Rclone utility. 

While the Cobalt Strike watermark ID 1357776117 has been linked to various threat actors, including Conti and Dark Scorpius, no ransomware deployment was observed, likely due to the attacker losing network access.

The threat actor, likely a developer at a Kazakh company, was identified through OpSec failures, including exposed personal information and video recordings, which, potentially affiliated with the KernelMode moniker, were linked to the development and demonstration of AV/EDR bypass tools. 

 High-level chain of events for this attack.

However, while this individual is a confirmed user of the rogue virtual machine, further investigation is needed to determine if they were the sole actor behind the attack.

Threat actors monetize these tools through subscription-based models on underground forums, regularly updating them, as this incident exposed a rogue system linked to a threat actor and their toolkit. 

Unit 42 identified the threat actor and their potential involvement. Organizations should implement measures like blocking indicators of compromise and enabling agent tampering protection to safeguard against such threats.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here