TA Phone Home: EDR Evasion Testing Reveals Extortion Actor’s Toolkit

![Logo](https://unit42.paloaltonetworks.com/wp-content/uploads/2021/07/PANW_Parent.png) ![Unit42 Logo](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/unit42-logo-white.svg) Menu* [Tools](https://unit42.paloaltonetworks.com/tools/)* [ATOMs](https://unit42.paloaltonetworks.com/atoms/)* [Security Consulting](https://www.paloaltonetworks.com/unit42)* [About Us](https://unit42.paloaltonetworks.com/about-unit-42/)* [**Under Attack?**](https://start.paloaltonetworks.com/contact-unit42.html) * [Threat Research Center](https://unit42.paloaltonetworks.com ‘Threat Research’)* [Threat Research](https://unit42.paloaltonetworks.com/category/threat-research/ ‘Threat Research’)* [Malware](https://unit42.paloaltonetworks.com/category/malware/ ‘Malware’) [Malware](https://unit42.paloaltonetworks.com/category/malware/)TA Phone Home: EDR Evasion Testing Reveals Extortion Actor’s Toolkit====================================================================![Clock Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-clock.svg) 14 min read Related Products ![Advanced DNS Security icon](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png)Advanced DNS Security![Advanced URL Filtering icon](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png)Advanced URL Filtering![Advanced WildFire icon](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png)Advanced WildFire![Cloud-Delivered Security Services icon](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png)Cloud-Delivered Security Services![Cortex icon](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/cortex_RGB_logo_Icon_Color.png)Cortex![Cortex XDR icon](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/cortex_RGB_logo_Icon_Color.png)Cortex XDR![Cortex XSIAM icon](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/cortex_RGB_logo_Icon_Color.png)Cortex XSIAM![Unit 42 Incident Response icon](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/unit42_RGB_logo_Icon_Color.png)Unit 42 Incident Response * ![Profile Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-profile-grey.svg) By: * [Navin Thomas](https://unit42.paloaltonetworks.com/author/navin-thomas/) * [Renzon Cruz](https://unit42.paloaltonetworks.com/author/renzon-cruz/) * [Cuong Dinh](https://unit42.paloaltonetworks.com/author/cuong-dinh/)* ![Published Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-calendar-grey.svg) Published:November 1, 2024* ![Tags Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-category.svg) Categories: * [Malware](https://unit42.paloaltonetworks.com/category/malware/) * [Threat Research](https://unit42.paloaltonetworks.com/category/threat-research/)* ![Tags Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-tags-grey.svg) Tags: * [BYOVD](https://unit42.paloaltonetworks.com/tag/byovd/) * [Cobalt Strike](https://unit42.paloaltonetworks.com/tag/cobalt-strike/) * [Conti ransomware](https://unit42.paloaltonetworks.com/tag/conti-ransomware/) * [Data exfiltration](https://unit42.paloaltonetworks.com/tag/data-exfiltration/) * [Extortion](https://unit42.paloaltonetworks.com/tag/extortion/) * [Mimikatz](https://unit42.paloaltonetworks.com/tag/mimikatz/) * [Security feature bypass](https://unit42.paloaltonetworks.com/tag/security-feature-bypass/)* ![Download Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-download.svg)* ![Print Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-print.svg)Share![Down arrow](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg)* ![Link Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-share-link.svg)* ![Link Email](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-sms.svg)* ![Facebook Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-fb-share.svg)* ![LinkedIn Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-linkedin-share.svg)* ![Twitter Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-twitter-share.svg)* ![Reddit Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-reddit-share.svg)* ![Mastodon Icon](https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-mastodon-share.svg)Executive Summary—————–This article reviews an incident where a threat actor unsuccessfully tried bypassing Cortex XDR. By digging further into the incident, the process instead provided us with insight into the threat actor’s operations.In a recent investigation involving an extortion attempt, we discovered a threat actor had purchased access to the client network via Atera RMM from an initial access broker. We discovered the threat actor used rogue systems to install the Cortex XDR agent onto a virtual system. They did this to test a new antivirus/endpoint detection and response (AV/EDR) bypass tool leveraging the [bring your own vulnerable driver (BYOVD) technique](https://blogs.vmware.com/security/2023/04/bring-your-own-backdoor-how-vulnerable-drivers-let-hackers-in.html).Connectivity between this virtual system and the client’s network inadvertently gave Unit 42 investigators a certain level of access to the rogue systems. This provided visibility into various tools and files held by the threat actor. While the threat actor intended to find a way to bypass Cortex, in actuality this activity helped Unit 42 protect other organizations by providing unique visibility into the threat actor’s tooling, targeting and persona.In this report, we provide an overview of the attack that occurred, details about the AV/EDR bypass tool, and its sale on cybercrime forums. Most importantly, we offer a walkthrough for how Unit 42 researchers managed to unmask one of the threat actors involved. We’ll give a peek into all the discoveries related to the identification of the threat actor.Palo Alto Networks customers are better protected from the threats discussed above through the following products:* [Cortex XDR](https://docs-cortex.paloaltonetworks.com/p/XDR) and [XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam)* [Advanced WildFire](https://docs.paloaltonetworks.com/advanced-wildfire)* [Advanced URL Filtering](https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-basics/how-url-filtering-works) and [Advanced DNS Security](https://docs.paloaltonetworks.com/dns-security/administration/about-dns-security)If you think you might have been compromised or have an urgent matter, contact the [Unit 42 Incident Response team](https://start.paloaltonetworks.com/contact-unit42.html).**Related Unit 42 Topics** [**Extortion**](https://unit42.paloaltonetworks.com/tag/extortion/), **[Data Exfiltration](https://unit42.paloaltonetworks.com/tag/data-exfiltration)**Overview——–Unit 42 was called to assist with an extortion incident. Through the investigation process, we encountered two endpoints involved in the attack that were unknown to the client environment.As a means to test an AV/EDR bypass tool, these endpoints had older versions of Cortex XDR agents installed. Unbeknownst to the threat actor, we were able to access these rogue endpoints.We also discovered a series of toolkits and other files belonging to the threat actor on the system, which included the bypass tool. We successfully traced and identified posts related to the sale of this specific tool on cybercrime forums like XSS and Exploit.Using files obtained from the rogue endpoints and subsequent investigation, we discovered the true identity of one of the threat actors involved in the incident. We also found additional information about the individual’s personal and professional background.Figure 1 presents a high-level chain of events in the attack investigated by Unit 42.![Flowchart titled ‘High Level Chain of Events’ depicting various cybersecurity threats and responses. Includes icons and text describing initial access via Atera, external threats from actors, rogue machines connected to a network, lateral movement within a network, and internal discovery along with credential access and defense evasion. The last step is exfiltration. Each step is interconnected with arrows showing the flow of events.](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/word-image-353688-137213-1.png) Figure 1. High-level chain of events for this attack.AV/EDR Bypass Tool——————The particular tool, named disabler.exe, appears to use the publicly available source code from [EDRSandBlast](https://github.com/wavestone-cdt/EDRSandblast) with small modifications and removal of the CLI features. This is evidenced by similarity in content in EDRSandBlast source code files shown in Figure 2 and referenced in the binary as shown in Figure 3. We have noted some of the similarities in red in both figures.The tool’s primary function is to target and remove EDR hooks in user-mode libraries and kernel-mode callbacks. It includes a companion file, wnbios.sys or WN_64.sys, which is a vulnerable driver that the tool attempts to load and gain access to.![Screenshot of a GitHub page displaying multiple code snippets in a red, green, and white color scheme, with annotations and arrows highlighting specific lines. The code relates to utility functions, offsite extractions, and service operations.](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/word-image-357864-137213-2.png) Figure 2. Snippet of some of the strings printed by EDRSandBlast. ![Screenshot of a computer screen displaying a list of function names and their corresponding addresses in a programming environment. There are arrows and text annotations in red pointing to specific lines in the code.](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/TA-phone-home-Fig-3-539×440.jpg) Figure 3. Same strings seen in disabler.exe static library.Based on certain files and folders in one of the rogue endpoints, we searched cybercrime forums such as XSS and Exploit to identify the likely seller of this bypass tool.### Identifying the Seller of the Bypass ToolThe rogue system had a hostname of DESKTOP-J8AOTJS and contained several directories with interesting names under the file path Z:–freelance. This led us to the hypothesis that these were names or monikers of various other affiliates as shown below in Figure 4.![A spreadsheet displaying a list of usernames. The format includes a column for folder names shown in a grid layout.](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/TAPhone_Fig4-200×700.png) Figure 4. List of folders in Z:–freelance on the rogue system.With that in mind, we searched cybercrime forums for usernames matching any of the directory names under Z:–freelance. While some of them were either too noisy or didn’t return any result at all, the rest did return some interesting hits. The matching names consistently posted either in the Russian language, or they posted in Russian-based cybercrime forums, the most common being XSS and Exploit.The username that piqued our interest the most was *Marti71*. This username posted in multiple places looking for tools to bypass AV/EDR. Figure 5 shows one such example, with the post translated to English as follows:Greetings, everyone!Does anyone have an out-of-the-box solution to kill antivirus software? I’m ready to purchase several solutions with regular support/subscription.![Screenshot of an online forum thread titled ‘AV KILLER’ dated December 25, 2024. The thread includes comments from a user named ‘Marti71’ discussing technical topics related to antivirus software. The interface features options for replying and reporting comments. The script used in the posts is Cyrillic.](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/word-image-373594-137213-5.png) Figure 5. Marti71 inquiring about antivirus killing software.The final post on this thread was from a user account named *KernelMode,*suggesting an AV/EDR bypass tool.![Image displaying two user comments from a forum. The first comment is by a user named HostBurn with a profile icon of a woman, commenting in Russian, dated January 25, 2024. The second comment is by KernelMode, also dated January 25, 2024, featuring a green ‘C++’ profile icon.](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/word-image-376833-137213-6.png) Figure 6. User KernelMode suggesting an AV/EDR bypass tool.Pivoting to the link in *KernelMode* ‘s post in Figure 6, we found a thread that *KernelMode* initiated to sell subscriptions to an AV/EDR bypass tool as Figure 7 shows. However, the post contains nothing that would confirm that the person or people behind *KernelMode* are the developers of this bypass tool.![Screenshot of an online forum post by KernelMode dated January 16, 2024. The post is in Cyrillic script and has beem translated into English.](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/word-image-379983-137213-7.png) Figure 7. KernelMode posting about the sale of an AV/EDR bypass tool.*Marti71*also posted on this thread as shown in Figure 8, which seems to indicate a positive experience with the tool.![Screenshot of online forum post by Marti71 in Cyrillic dated April 24, 2024.](https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/word-image-383667-137213-8.png)

Related Tags:
NAICS: 519 – Web Search Portals

Libraries

Threat Intel Solutions

TA Phone Home: EDR Evasion Testing Reveals Extortion Actor’s Toolkit

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us