Another devious antivirus killer tool has been found – so make sure you’re protected
- Crypto24 ransomware group was seen disabling AV protection before deploying the encryptor
- In some cases, it can even uninstall the AV programs
- A layered defense is the best approach to mitigate the threat
Security researchers have found another antivirus-killing tool out there that hackers are using before dropping any additional payloads.
Experts from Trend Micro have uncovered custom variant of the open source tool called RealBlindingEDR.
This tool comes with a hardcoded list of antivirus company names:
Trend Micro
Kaspersky
Sophos
SentinelOne
Malwarebytes
Cynet
McAfee
Bitdefender
Broadcom (Symantec)
Cisco
Fortinet
Acronis
When it is deployed on a device, it looks for these names in driver metadata, and if it finds one, it disables kernel-level hooks/callbacks, essentially blinding detection engines. Trend Micro’s researchers found the hackers are also able to silently uninstall antivirus programs altogether, opening the doors and enabling easy deployment of stage-two malware.
Crypto24
The tool was seen in the wild, used by a hacking collective called Crypto24, a nascent ransomware group first spotted in September 2024.
However, the researchers believe the group consists of former members of other, defunct hacking collectives, since its members are highly skilled and experienced.
When it gains initial access, establishes persistence, and removes antivirus roadblocks, the group usually deploys two pieces of malware – a keylogger, and an encryptor. All of the stolen secrets are exfiltrated into a Google Drive using a custom tool.
The identity, or location, of Crypto24 is currently unknown. However, researchers are saying that in its short lifespan, the group successfully hit a number of large organizations in the United States, Europe, and Asia. Most of their targets are in finance, manufacturing, tech, and entertainment.
There are many ways to protect against attacks looking to disable antivirus protection, including opting for a layered defense strategy.
Companies can use a reputable antivirus with tamper protection, enable real-time protection and firewalls, and use a separate anti-malware tool that can work alongside an AV.
Via BleepingComputer
You might also like
Crypto24 ransomware group was seen disabling AV protection before deploying the encryptor In some cases, it can even uninstall the AV programs A layered defense is the best approach to mitigate the threat Security researchers have found another antivirus-killing tool out there that hackers are using before dropping any additional…
