EDR Evasion Attempt Reveals Tools and Methods of an Extortion Actor

In a recent case investigated by Palo Alto Networks’ Unit 42 team, a group of cybercriminals unsuccessfully attempted to evade the Cortex XDR endpoint detection and response system. Although the attack failed, the incident provided an unexpected opportunity to examine the tools and tactics employed by the actor, thereby improving the defensive capabilities of other organizations.

Attack Details

The incident began when the Unit 42 team was called in to investigate an extortion attempt. The investigation revealed that the threat actor gained initial access through Atera RMM, a remote management tool obtained via an access broker. From there, the attackers used unauthorized systems to install Cortex XDR agents in a virtual environment to test AV/EDR evasion tools using a technique known as Bring Your Own Vulnerable Driver (BYOVD).

This access also allowed Unit 42 investigators to examine the compromised systems, where they discovered several malicious tools and files, including an executable named disabler.exe, designed to remove hooks in user-mode libraries and kernel-mode callbacks. These tactics enabled the team to study the actors’ methods and eventually identify some of the individuals involved.

Tools and Techniques Used

The main objective of the cybercriminals was to test an EDR evasion tool being sold on cybercrime forums such as XSS and Exploit. The disabler.exe file employed a series of advanced methods, such as leveraging vulnerable drivers (wnbios.sys) to gain access and disable security functions. Through this investigation, Unit 42 identified one of the most active users in these forums as Marti71, an alias that posted in Russian, seeking solutions to bypass security systems and commenting on posts by another user called KernelMode, who was reportedly selling EDR evasion tools.

Implications for Enterprise Security

EDR evasion methods and the use of vulnerable drivers pose significant risks to organizations. These actors infiltrate corporate networks and gain access to sensitive data by exploiting remote access tools and custom malware. To prevent such attacks, companies are advised to strengthen endpoint security with advanced solutions like Cortex XDR and conduct regular reviews of access permissions and unusual activity within their networks.

Protection with Palo Alto Networks Products

With products such as Cortex XDR, XSIAM, Advanced WildFire, and Advanced URL Filtering, Palo Alto Networks customers are better prepared to detect and prevent these types of attacks. In case of suspected malicious activity or compromise, it is recommended to contact Unit 42’s incident response team.

Conclusion

This incident demonstrates that EDR evasion attempts not only pose risks but also offer opportunities to strengthen security. By thoroughly analyzing the compromised systems and tools used, Unit 42 has enhanced the understanding of threat actor methods, benefiting the entire security community.

Related Posts
Devel Group
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.