Killer Ultra Malware Attacking EDR Tools From Symantec, Microsoft, & SentinelOne

Killer Ultra malware has been chanced on to be concentrating on endpoint detection and response (EDR) instruments from Symantec, Microsoft, and Sentinel One in ransomware attacks.

Killer Ultra gathers all Home windows occasion logs, clears them entirely, and acquires kernel-diploma permissions.

ARC Labs has labeled this malware as “Killer Ultra.” Killer Ultra makes exhaust of the wisely-known Zemana driver to abolish EDR/AV processes, however consultants hang chanced on diverse aspects that imprint It will likely be aged for functions diverse than weakening defenses.

Vulnerability Exploitation

Killer Ultra involves a vulnerable version of Zemana AntiLogger that exploits CVE-2024-1853 for arbitrary process termination.

A vulnerability linked to Arbitrary Job Termination, is called CVE-2024-1853, used to be chanced on in Zemana AntiLogger v2.74.204.664.

This vulnerability permits an attacker to terminate processes arbitrarily, collectively with mandatory safety processes tackle antivirus or EDR tool. It exploits the 0x80002048 IOCTL code of the Zemana AntiLogger drivers.

A risk actor going by the alias “SpyBoy” added this vulnerability to a tool called “Terminator,” which used to be marketed as an “EDR killer” tool in May possibly perhaps 2023.

Terminator makes exhaust of the terrified Zemana AntiLogger driver to take advantage of CVE-2024-1853 and disable safety solutions on the techniques it targets.

On Russian hacker boards, SpyBoy marketed and equipped this tool, charging $300 for in point of fact honest correct AV bypasses and $3000 for an all-in-one solution.

Technical Capabilities Of Killer Ultra Malware

Killer Ultra operates with a high diploma of sophistication, leveraging kernel-diploma permissions to effectively neutralize EDR instruments. The malware’s main ways encompass:

• Job Termination: Killer Ultra can terminate processes linked to accepted safety instruments, rendering them ineffective.
• Event Log Clearing: By clearing occasion logs, the malware makes it complicated for safety groups to trace its actions.
• Driver Exploitation: The malware exploits vulnerabilities in drivers to construct deeper get correct of entry to and help watch over over the contaminated techniques.
• Persistence Mechanisms: It employs a form of help persistence on compromised techniques, ensuring it will continue to exist reboots and diverse makes an are attempting to eradicate it.
• Indicator Elimination: Killer Ultra is adept at eradicating indicators of compromise, serving to it evade detection by veteran safety measures.
• Put up-Exploitation Capabilities: The malware potentially involves aspects for additional exploitation after preliminary compromise, corresponding to data exfiltration or lateral motion interior networks.

“Killer Ultra obtains Kernel diploma permissions and targets endpoint safety instruments: Symantec Antivirus, Microsoft Home windows Defender, SentinelOne, and Microsoft Defender for Endpoint,” reads Binary Protection’s post.

After putting in the motive force and starting the provider, Killer Ultra disables safety products on a predefined list. The list of safety instruments is printed by XOR process names encoded by 3.

When the malware detects a match in the process establish, Killer Ultra assessments the active processes and ends the process with kernel-diploma permissions.

Additionally, by enhancing EtwEventWrite’s privileges interior the NTDLL, Killer Ultra seeks to deceive endpoint safety instruments extra and may perhaps possibly well prevent ETW occasions linked to Killer Ultra operations from being written.

Despite the incontrovertible truth that ARC Labs confirmed the malware’s ability to carry out these projects, it is a long way unclear if this in point of fact works to conceal the malware’s actions from endpoint safety techniques.

To prevent safety programs from working over again after a device reboot, Killer Ultra generates two scheduled projects titled “Microsoft Security ” and “Microsoft Upkeep” to fabricate at device startup.

Each projects are configured to birth Killer Ultra from the next route:  C:ProgramDataMicrosoftSystemMaintainenceMaintainence.exe.

Killer Ultra has a subroutine called StartAddress that is specified in the main device. Its reason is to get rid of compromise indications by utilizing the “wevtutil.exe” utility to eradicate the Home windows Event Logs.

Killer Ultra invokes “wevtutil.exe” via “cmd.exe” to bustle via and delete all of the Home windows Event Logs.

“Sluggish functions interior the code that will possibly well enable Killer Ultra to device as a post-exploitation tool. Whereas these capabilities are now no longer in the meanwhile active, these code sections may perhaps possibly well be activated in future variations of the malware”, researchers warn.

This evaluation of Killer Ultra will help organizations comprehend all of its aspects and offer tactical risk intelligence to manual their detection and response plans.