Qilin Ransomware’s Advanced Tactics: Disabling EDR Systems with Malicious DLLs
The Qilin ransomware group, also known as Agenda, Gold Feather, and Water Galura, has escalated its cyberattack strategies by deploying a sophisticated multi-stage infection chain. This method utilizes a malicious `msimg32.dll` to disable over 300 endpoint detection and response (EDR) drivers from nearly every major security vendor, significantly enhancing the group’s ability to operate undetected.
The Evolution of EDR Evasion Techniques
As organizations increasingly depend on EDR solutions for enhanced behavioral visibility beyond traditional antivirus programs, cybercriminals have adapted by integrating EDR-disabling mechanisms into their attack chains. By neutralizing telemetry collection related to process creation, memory activity, and network behavior, attackers can stealthily deploy ransomware payloads without triggering alerts.
DLL Sideloading: The Initial Breach
Cisco Talos researchers have identified that Qilin’s attack initiates when a legitimate application, such as FoxitPDFReader.exe, sideloads a malicious `msimg32.dll` in place of the genuine Windows library. This rogue DLL forwards all expected API calls to the legitimate `C:\Windows\System32\msimg32.dll`, maintaining normal application behavior while executing its malicious code from the `DllMain` function.
Multi-Stage Loader and Anti-Detection Mechanisms
Embedded within the malicious DLL is an encrypted EDR killer payload that undergoes three loader stages before the final component executes entirely in memory, avoiding detection by never touching the disk in its decrypted form. The loader employs advanced anti-detection techniques, including:
– Control Flow Obfuscation: Utilizing Structured Exception Handling (SEH) and Vectored Exception Handling (VEH) to conceal API invocation patterns and covertly transfer execution between stages.
– ETW Suppression: Neutralizing Event Tracing for Windows at runtime to deprive defenders of necessary telemetry for behavioral detection.
– Syscall Bypass: Scanning `ntdll.dll` to locate unhooked syscall stubs and repurposing them to invoke desired system calls, effectively bypassing EDR-hooked APIs without modifying any hooked code.
– Kernel Object Manipulation: Overwriting the `.mrdata` section of `ntdll.dll` to redirect exception handling to custom routines.
– Anti-Debugging Measures: Checking for breakpoints on `KiUserExceptionDispatcher` and deliberately crashing the process if one is detected.
Additionally, the loader implements geo-fencing, terminating execution if the system locale matches a post-Soviet country, a pattern observed in other Russian-affiliated ransomware operations.
The EDR Killer Component
Upon successful deployment, the EDR killer payload loads two kernel-level helper drivers:
– rwdrv.sys: A renamed version of `ThrottleStop.sys`, legitimately signed by TechPowerUp LLC and used in tools like GPU-Z. Despite its benign origin, this driver exposes powerful IOCTLs for physical memory read/write, MSR access, and PCI configuration, exploited to directly manipulate kernel structures without accessing protected virtual memory.
– hlpdrv.sys: Utilized exclusively to terminate protected EDR processes via IOCTL code `0x2222008`, bypassing Windows process protection mechanisms.
The EDR killer iterates through a hardcoded list of over 300 EDR driver names, using physical memory writes via `rwdrv.sys` to unregister monitoring callbacks for process creation, thread creation, and image loading events, effectively disabling EDR visibility at the kernel level.
Implications and Defensive Measures
The Qilin ransomware group’s ability to disable a wide array of EDR solutions underscores the evolving sophistication of cyber threats. Organizations must adopt a multi-layered security approach, including:
– Regular Software Updates: Ensuring all applications and security tools are up-to-date to mitigate vulnerabilities exploited by sideloading attacks.
– Behavioral Analysis: Implementing advanced behavioral analysis tools capable of detecting anomalies indicative of EDR tampering or disabling attempts.
– Network Segmentation: Limiting the spread of ransomware by segmenting networks and restricting access to critical systems.
– Incident Response Planning: Developing and regularly updating incident response plans to quickly address and mitigate ransomware attacks.
By understanding and anticipating the tactics employed by groups like Qilin, organizations can better fortify their defenses against increasingly sophisticated ransomware threats.
