In recent months, cybersecurity professionals have encountered a formidable threat in the form of EDR killer tools, notably the ‘AVKiller’ payload. This malicious software is engineered to disable endpoint detection and response (EDR) systems, thereby facilitating the deployment of ransomware.
Emergence and Evolution of AVKiller
First identified in mid-2024, AVKiller employs the HeartCrypt packer-as-a-service to obfuscate its true nature, effectively evading traditional static signature-based detection methods. Attackers commonly deliver AVKiller through droppers that masquerade as legitimate utilities, often by injecting malicious code into signed executables such as Beyond Compare.
Upon execution, AVKiller decrypts its heavily protected payload in memory, searches for specific security drivers, and terminates associated processes. This action clears the path for subsequent ransomware encryption activities.
Targeting a Broad Spectrum of Security Solutions
Initially, AVKiller samples were observed targeting Sophos products. However, subsequent variants have expanded their focus to include a wide range of security vendors, such as Bitdefender, Kaspersky, SentinelOne, and Microsoft Defender. The tool searches for a randomly named driver file (e.g., mraml.sys), loads it if present, and then terminates running processes or services associated with known antivirus and EDR solutions.
If the driver is absent, AVKiller creates a similarly named service and aborts with an error message, Failed to get device, ensuring minimal forensic artifacts are left behind.
Significant Impact on Enterprise Networks
The deployment of AVKiller has had profound consequences. In a notable incident, the RansomHub group utilized the payload against a large enterprise network, successfully disabling dynamic shellcode detection and device control mechanisms before initiating file encryption. Within minutes, critical servers were compromised, and recovery efforts were hindered by the lack of active EDR protection.
Analysis of telemetry data revealed that AVKiller executed multiple SysCall-blocking routines, preventing live response tools from injecting into protected processes. This level of sophistication highlights a growing trend among adversaries to invest in specialized off-the-shelf tools designed to neutralize security operations.
Infection Mechanism and Evasion Tactics
The infection process begins with a dropper executable packed by HeartCrypt, designed to evade static antivirus signatures. Once in memory, AVKiller employs a custom loader that decrypts the embedded payload using an XOR routine. The loader enumerates loaded drivers and searches for a five-letter randomly generated name, hardcoded within the decoded payload.
When the target driver is loaded, AVKiller issues direct system calls to terminate critical security processes:
“`c
HANDLE hDevice = CreateFileW(L\\\\.\\mraml, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE) {
fprintf(stderr, Failed to get device\n);
exit(EXIT_FAILURE);
}
NtTerminateProcess(hProcess, STATUS_SUCCESS);
“`
By bypassing user-mode API hooks and invoking NtTerminateProcess directly, AVKiller sidesteps common EDR interception points.
The driver itself is digitally signed with a compromised certificate—ranging from Changsha Hengxiang Information Technology Co., Ltd. to Fuzhou Dingxin Trade Co., Ltd.—both of which expired years ago but remain unrevoked in kernel verification lists. This technique allows the driver to load without raising immediate suspicion from kernel integrity checks.
Upon successful termination of security services, the dropper triggers the ransomware payload—often linked to families such as Blacksuit, MedusaLocker, and INC—completing the kill chain. AVKiller’s modular design permits rapid updates to target lists and packing layers, indicating active development and sharing among competing ransomware groups.
Broader Context: The Rise of EDR Killer Tools
The emergence of AVKiller is part of a broader trend where cybercriminals develop and deploy tools specifically designed to disable EDR systems. These EDR killers have become increasingly accessible and are now a staple in the arsenals of various ransomware groups.
For instance, the notorious FIN7 hacking group has been observed selling its custom AvNeutralizer tool, used to evade detection by disabling enterprise endpoint protection software on corporate networks. This tool has been utilized in multiple ransomware incidents to sabotage the target’s protection and deploy ransomware.
Similarly, the Medusa ransomware campaign has been using a malicious driver, dubbed ABYSSWORKER, to disrupt and even delete EDR products on targeted organization networks. This driver imitates a legitimate CrowdStrike Falcon driver and uses digital certificates from other companies to masquerade as a legitimate program.
Implications for Cybersecurity Defenses
The proliferation of EDR killer tools like AVKiller underscores the need for organizations to enhance their cybersecurity defenses. Traditional security measures may not be sufficient to detect and prevent such sophisticated attacks.
Organizations should consider implementing the following measures:
1. Enable Tamper Protection: Ensure that endpoint security products have tamper protection enabled to prevent unauthorized modifications to security settings.
2. Practice Strong Windows Security Hygiene: Enforce strict separation between user and administrator privileges to reduce the likelihood of attackers gaining the necessary permissions to disable EDR systems.
3. Keep Systems Updated: Regularly update systems to benefit from security enhancements and patches that address vulnerabilities related to driver abuse.
4. Implement Advanced Threat Detection: Utilize advanced threat detection mechanisms that can identify and respond to sophisticated attacks in real-time.
5. Conduct Regular Security Audits: Perform regular security audits to identify and address potential vulnerabilities in the organization’s cybersecurity infrastructure.
By adopting these measures, organizations can strengthen their defenses against the growing threat posed by EDR killer tools like AVKiller and enhance their overall cybersecurity posture.
