HeartCrypt-Packed ‘AVKiller’ Tool Actively Deployed in Ransomware Attacks to Disable EDR

HeartCrypt-Packed ‘AVKiller’ Tool Actively Deployed in Ransomware Attacks to Disable EDR

Threat actors are placing a higher priority on neutralizing endpoint detection and response (EDR) systems in order to remain stealthy in the dynamic world of multi-stage cyberattacks.

Since 2022, malware sophistication has surged, with tools specifically engineered to disable EDR on compromised endpoints.

These utilities, often developed by ransomware affiliates or sourced from underground markets, leverage packer-as-a-service solutions like HeartCrypt for obfuscation.

A notable example is the AVKiller tool, embedded within HeartCrypt-packed samples, which has been observed in active ransomware campaigns.

This payload, detected amid thousands of similar artifacts, exhibits heavy protection layers, targets a variable list of security vendors, and relies on malicious drivers signed with compromised certificates.

Rising Sophistication in EDR Evasion Tactics

For instance, one variant, uA8s.exe (SHA-1: 2bc75023f6a4c50b21eb54d1394a7b8417608728), injects malicious code into legitimate utilities like Beyond Compare’s Clipboard Compare, decoding itself upon execution to reveal an executable that scans for randomly named drivers, such as mraml.sys (SHA-1: 21a9ca6028992828c9c360d752cb033603a2fd93).

According to a Sophos report, these drivers, often masquerading as legitimate components (e.g., mimicking CrowdStrike Falcon Sensor), are signed by abused entities like Changsha Hengxiang Information Technology Co., Ltd., with certificates revoked since 2016.

The certificate is revoked and has not been valid since 2016

Newer iterations employ signatures from Fuzhou Dingxin Trade Co., Ltd., invalid since 2012, highlighting the exploitation of expired or compromised signing infrastructure to bypass kernel-level protections.

The AVKiller’s functionality is multifaceted: it terminates processes and services from vendors including Bitdefender, Cylance, F-Secure, Fortinet, HitmanPro, Kaspersky, McAfee, Microsoft, SentinelOne, Sophos, Symantec, Trend Micro, and Webroot.

The target list varies across samples, sometimes focusing on one or two vendors, other times encompassing a broader array, demonstrating adaptability to specific environments.

If the required driver is absent, the tool halts with a “Failed to get device” error but creates a service tied to the driver’s name, ensuring persistence.

Memory dumps confirm its intent, revealing strings targeting processes like MsMpEng.exe, SophosHealth.exe, SAVService.exe, and sophosui.exe.

Detection often occurs via static rules like Mal/HCrypt- or Troj/HCrypt-, or dynamic mitigations such as SysCall, DynamicShellcode, or HollowProcess, underscoring the tool’s reliance on evasion through heavy obfuscation and code injection.

Real-World Deployments

AVKiller’s deployment is tightly coupled with ransomware operations, appearing in attacks by families including Blacksuit, RansomHub, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC, suggesting potential tool-sharing among groups.

Ransomware Attacks
Cylerian notes activity attributable to the tool in question

In a typical RansomHub incident, a HeartCrypt-packed dropper (e.g., vp4n.exe, SHA256: c793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d) deploys the killer, which loads a driver like zsogd.sys.

Followed by ransomware execution (e.g., FoPefI.exe, SHA256: e1ed281c521ad72484c7e5e74e50572b48ea945543c6bcbd480f698c2812cdfe) appending extensions like .0416f0 and dropping notes such as README_0416f0.txt.

A MedusaLocker case highlighted initial access via a zero-day remote code execution in SimpleHelp, triggering DynamicShellcode alerts on 6Vwq.exe (SHA256: 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98), unpacking to a payload (SHA256: a44aa98dd837010265e4af1782b57989de07949f0c704a6325f75af956cc85de) targeting six vendors, succeeded by Medusa ransomware (SHA256: 3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da).

An INC ransomware attack in June 2025 showcased layered packing, combining an updated Impersonators-style packer with HeartCrypt on CSd2.exe (SHA256: ce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151), extracting payloads (e.g., SHA256: 61557a55ad40b8c40f363c4760033ef3f4178bf92ce0db657003e718dffd25bd), and embedding the killer (SHA256: 597d4011deb4f08540e10d1419b5cbdfb38506ed53a5c0ccfb12f96c74f4a7a1), which loads noedt.sys (SHA256: 6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf).

CryptoGuard mitigations flagged the ensuing encryption, with ransom notes like README.txt. This cross-family usage indicates knowledge transfer among ransomware actors, amplifying the threat of EDR evasion tools in coordinated attacks.

Indicators of Compromise (IOCs)

File Name Hash Type Hash Value
uA8s.exe SHA-1 2bc75023f6a4c50b21eb54d1394a7b8417608728
mraml.sys SHA-1 21a9ca6028992828c9c360d752cb033603a2fd93
vp4n.exe SHA256 c793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d
FoPefI.exe SHA256 e1ed281c521ad72484c7e5e74e50572b48ea945543c6bcbd480f698c2812cdfe
6Vwq.exe SHA256 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98
MilanoSoftware.exe SHA256 3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da
CSd2.exe SHA256 ce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151
noedt.sys SHA256 6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free


Source link