In early 2023, a user named “spyboy” promoted a tool for evading endpoint defense on the Windows operating system through the Russian-language forum Ramp. The software, which was demoed in a video titled “Terminator,” can allegedly terminate any endpoint detection and response (EDR) and extended detection and response (XDR) platform.
This sort of technique puts organizations — from small businesses to service providers and enterprises — at constant risk. EDR and XDR solutions play crucial roles in identifying and mitigating threats but are now perhaps the most frequently circumvented cybersecurity tools for bad actors, according to Lumu’s 2023 Ransomware Flashcard.
By understanding how ransomware and all-in-one EDR/XDR killers like Terminator operate, organizations can better equip themselves to defend against these insidious threats.
CPL and DLL Side-Loading
Originally created for quick access to tools in the Control Panel on the Microsoft Windows OS, CPL files have become a go-to place for bad actors to hide malware software. The dynamic link library (DLL) side-loading technique allows attackers to trick an application into loading a counterfeit DLL file instead of authentic ones, which are normally used for data shared simultaneously across multiple programs.
To carry out a DLL side-loading attack, the attacker tricks a Windows application into loading a harmful DLL file by exploiting the Microsoft application’s DLL search order. By replacing a legitimate DLL with a malicious one to make an application load it, the attacker’s code infects the entire target system.
Code Injection
Attackers often use code injection to insert malicious code into a legitimate application or process, which helps it evade detection by EDR or EPP systems. By executing arbitrary code in the address space of another live process, the malicious code can hide under a legitimate process, making it harder for security products to identify.
One popular technique for code injection is process hollowing, where attackers create a new process in a suspended state using the CreateProcess() function of the Windows API. The process then “hollows out” by removing the memory pages of the legitimate binary from the new process’s address space with the ZwUnmapViewOfSection() or NtUnmapViewOfSection Windows API functions, leaving the new process with an empty address space.
Userland API Hooking
API hooking is a commonly employed technique that monitors process execution and detects alterations. “Hooking” is essentially the act of intercepting API calls between applications. Windows facilitates application hooking by providing developers with tools to intercept events, messages, and API calls, commonly referred to as “hooks.”
Attackers exploit this technique to intercept API calls and manipulate them to serve their objectives. Userland hooking is one such method employed by attackers to intercept function calls made by applications to system libraries or APIs within the user space. By redirecting function calls to their own code, attackers can manipulate an application’s behavior to further their malicious intent.
A recently created polymorphic keylogger called BlackMamba can modify code without command and control (C2) infrastructure. Its author’s primary objective was to develop code based on a set of key principles. The initial principle involved eliminating any malicious C2 infrastructure and substituting it with sophisticated automation that securely transmits relevant data to the attacker through a harmless communication channel. The other principle revolved around leveraging the generative AI tool to create code capable of producing malware variants by constantly modifying the code to evade detection algorithms employed by EDRs.
How to Secure Overall Cyber Resilience, Including EDR/XDR
To effectively combat ransomware exploitation of EDR/XDR technologies, organizations must implement robust security measures, including continuous threat intelligence and analysis, defense-in-depth, and incident response planning.
Continuous threat intelligence and analysis. Organizations should configure EDR/XDR solutions to monitor critical endpoints effectively; however, companies should be aware that their attack surface is likely built of either legacy devices, with which an EDR agent is not compatible, or simple IOT/OT devices, which do not allow you to install an EDR/XDR agent. Using the network as a vantage point to identify threat actors can help companies to provide an additional layer of threat detection in addition to EDR/XDR solutions. Network Detection and Response (NDR) or Network Analysis and Visibility (NAV) tools give organizations insight into the malicious traffic flowing through the network rather than just what’s being seen on endpoints.
Organizations should also leverage threat intelligence feeds and perform regular analyses of emerging trends to stay ahead of evolving ransomware threats. This helps in proactively identifying new ransomware variants and tactics, ensuring timely detection and response. Collaborating with industry-specific information-sharing platforms can provide valuable insights into the latest attack techniques and indicators of compromise.
Integrating the latest threat feeds and intelligence with endpoint security will also allow for more a robust EDR/XDR system.
Defense-in-depth. The Terminator tool mentioned above uses a technique called bring your own vulnerable driver (BYOVD) to take advantage of legitimate Zemana anti-malware drivers. The focus has been on detecting when the vulnerable Zemana drivers are being written to disk or loaded by processes. Since Zemana is a legitimate tool, it’s not possible to block the creation or loading of these drivers. BYOVD attacks and the use of vulnerable Zemana anti-malware drivers are not new, so it’s important to regularly analyze emerging threats like these and assess whether your current cybersecurity stack and processes will be up to the task of detecting and blocking the latest threats.
Adopting a defense-in-depth approach with multiple layers of security controls mitigates the impact of any potential breach. This includes deploying network segmentation, firewall rules, intrusion prevention systems, and anti-malware solutions.
Incident response planning. Developing a comprehensive incident response plan specifically tailored for ransomware incidents is essential. This includes predefined steps for isolating infected systems, containing the spread, and restoring critical data from secure backups. Regularly testing the incident response plan through tabletop exercises and simulations ensures preparedness in the face of a ransomware attack.
Secure Cyber Resilience Beyond EDR/XDR
Ransomware operators and bad actors continue to refine their tactics by employing evasion techniques, targeting vulnerabilities, and disabling monitoring capabilities to bypass security technologies with tools like Terminator.
EDR/XDR technologies form one element in a robust, dynamic cybersecurity stack. With continuous threat intelligence, defense in depth, and diligent incident response planning, EDR/XDR tools become more robust in themselves while the entire cybersecurity operation is bolstered. With these precautions in place, endpoint defenses can continue to play a pivotal role in protecting their systems and data from the devastating effects of malicious attacks.